IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Sat, 09 October 2010 21:45 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C4A93A692E for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 14:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[AWL=0.227, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Un-5X5CMbO4k for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 14:45:42 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 433DF3A68FB for <hybi@ietf.org>; Sat, 9 Oct 2010 14:45:42 -0700 (PDT)
Received: by iwn10 with SMTP id 10so2761139iwn.31 for <hybi@ietf.org>; Sat, 09 Oct 2010 14:46:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.145.4 with SMTP id d4mr126782icv.169.1286660809958; Sat, 09 Oct 2010 14:46:49 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Sat, 9 Oct 2010 14:46:49 -0700 (PDT)
In-Reply-To: <AANLkTi=9STxevHLh7jEQ-LnPUadS5hTWtq9NUDKSNnSc@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <AANLkTingLtQ7q=5jVBe4xZTdNoXbA3N-N8+TJ+yeON-K@mail.gmail.com> <AANLkTinHjvwRQedG8BqCbWv3u6GidH_2-ZwehS4fuVpv@mail.gmail.com> <AANLkTi=9STxevHLh7jEQ-LnPUadS5hTWtq9NUDKSNnSc@mail.gmail.com>
Date: Sun, 10 Oct 2010 08:46:49 +1100
Message-ID: <AANLkTim9JWH15Cc9esL4hCP5cAcK=VvHLU-_9TFe=Gr_@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 21:45:43 -0000

On 10 October 2010 03:39, Eric Rescorla <ekr@rtfm.com> wrote:
> Accordingly, I'd like to have a design that makes as minimal
> assumptions about the behavior of the target server as possible and I'd like
> those
> assumptions to be rooted to the extent possible in behaviors which either
> (1) are required by standards or (2) are required for the server to function
> interoperably at all, if not both. Do you disagree?

I agree to some extent.

but note that the standards have several requirements on 1xx responses
(eg no bodies, in response to an upgrade) that the PHP script in the
supposed attack violates.  So according  to your criteria above we
would not need to consider this, even though the evidence is that a
commonly deployed server allows it.

As upgrade is an underutilized mechanism, it may be that there are
many implementations out there that do not enforce this aspect of the
specification.    This is unfortunate as it does peel back a layer of
defence that we would otherwise have.    But so long as this is a not
a necessary layer for defending initial deployments, then I think it
would be sufficient for us to raise issues on the commonly deployed
servers indicating they are breaking the specification and creating
security concerns by allowing applications to generate 101 responses.

With regards to my null trial - I agree that such "surveys" (specially
with a sample size of 1) are not really indicative, only somewhat
informative.      However, I do think we need to analyse our framing
from the perspective of could WS frames be mistaken for HTTP requests.

regards

v2.23.0 | Report a Bug | By Email