Re: [hybi] New port and Tunneling?
"Shelby Moore" <shelby@coolpage.com> Wed, 18 August 2010 08:24 UTC
Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19A6F3A6A09 for <hybi@core3.amsl.com>; Wed, 18 Aug 2010 01:24:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.714
X-Spam-Level:
X-Spam-Status: No, score=-1.714 tagged_above=-999 required=5 tests=[AWL=0.570, BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9rewTBYcZ8mf for <hybi@core3.amsl.com>; Wed, 18 Aug 2010 01:24:14 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id A2C213A6A27 for <hybi@ietf.org>; Wed, 18 Aug 2010 01:24:14 -0700 (PDT)
Received: (qmail 16274 invoked by uid 65534); 18 Aug 2010 08:24:49 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Wed, 18 Aug 2010 04:24:49 -0400
Message-ID: <7cb6a673e4e0a7c704691452c48f97a5.squirrel@sm.webmail.pair.com>
In-Reply-To: <AANLkTimyjqZtWaBsSrC1_udsYSMnnCPkLjYR8rq-Sn0p@mail.gmail.com>
References: <9e3c9de9b6d6278aa26921f4b22963ad.squirrel@sm.webmail.pair.com> <b5f838a87561f318ae6c3958a058b057.squirrel@sm.webmail.pair.com> <657f148a719e31c1699dccfe3e6e63c4.squirrel@sm.webmail.pair.com> <AANLkTimV77PKU3pTAgfBMu5XvzKX7ovHdE6xBCh9o-dx@mail.gmail.com> <340466c936045003a3930a65610df597.squirrel@sm.webmail.pair.com> <AANLkTimyjqZtWaBsSrC1_udsYSMnnCPkLjYR8rq-Sn0p@mail.gmail.com>
Date: Wed, 18 Aug 2010 04:24:49 -0400
From: Shelby Moore <shelby@coolpage.com>
To: Adam Barth <ietf@adambarth.com>
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: hybi@ietf.org
Subject: Re: [hybi] New port and Tunneling?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 08:24:17 -0000
I will read it next, but quick reply to say: 1) Agreed, because if the browser has a bug that reveals my session id for AsiaDear.com, my security is broken. I have to rely on the browser for persistance, but what I have done is made sure that only a bug in the browser can do it, not some other type of vulnerability. 2) Apologize for the tone of my prior email about your research paper. I wasn't expecting that you would appreciate my points, but seems I wasn't patient enough (past experience sorry). Also if you are approaching this from a "what is practical in real world" perspective, I can understand why your research would be less "idealistic" than my points. Nevertheless, I hope we can agree that it is a major win when we can be idealistic and achieve the isolation of #1 above. > Thanks for your detailed response. I think I understand your > perspective better now. Unfortunately, whether or not we judge the > fault to lie with the server, browser vendors still take it upon > themselves to avoid these issues. For some perspective on why this is > the case, you might enjoy reading this post: > > http://www6.ietf.org/mail-archive/web/hybi/current/msg02400.html > > Kind regards, > Adam > > > On Wed, Aug 18, 2010 at 12:19 AM, Shelby Moore <shelby@coolpage.com> > wrote: >> Hi Adam, >> >> Please skip down the numbered point first, to see your gross >> mis-understandings. >> >> Sincerely thanks for expressing your opinion. I appreciate it. I have >> opened your web page ( http://adambarth.com ) and I understand you are a >> PhD with some focus on cross origin security (my credentials are >> mentioned >> below). Could we Skype for 20 mins, because it might be much more >> efficient to resolve this? Or a private email discussion? Then one of us >> can come here and admit defeat after we hash it out. I have no problem >> with accepting when I am wrong, but I need to understand first. And I am >> reasonably confident (you will read why below) that in this case the >> misunderstanding is predominantly on your side. Let me see if I can >> clear >> this up below. If you prefer to debate on this public list, that is fine >> with me. If you prefer to ignore me or make only sweeping statements >> with >> no specific debate, then I will consider you have lost the debate. Let's >> try not to get personal and inflamed, and let us stick to the facts. >> >> After sending this email, I am going to take some time to read some of >> your publications, so I can understand better your expertise. I will >> show >> you that respect/appreciation and give my time to understand you (for my >> own benefit of course). I appreciate if you would allocate just a little >> time to steering this thread to a successful conclusion (one way or the >> other), without just a sweeping statement of expert authority (those >> often >> are correct, but just once in a while they are gross errors). I do >> understand that it is not a free market if I demand your time, so I will >> understand if you decline. >> >> We will probably discover that we are both correct, and we just didn't >> understand the nuances of what each other. It is important that we >> discover in what ways we are both correct, so that we are clear on the >> nuances. We must respect each other, and assume intelligience until >> clearly proven beyond any reasonable doubt otherwise. If we merely talk >> past each other (because we are too lazy or too busy or too >> arrogant...myself included), then understanding will fail. You obviously >> take browser security very seriously as I do too. So unless you think I >> am >> a total idiot (without even giving me an interactive dialogue to show >> you >> otherwise), I can't imagine why you wouldn't want to at least make a >> modicum of attempt at mutual understanding. But then again, I am >> confident >> enough to go on without you and the list too (I love free markets). >> >> Unfortunately, you didn't provide much specific information about your >> misunderstandings, that could help me know if you are correct or not. >> Based on the incorrect statements you made, I am nearly certain you just >> broadstroked this without really understanding my points. I will detail >> as follows: >> >> 1. Contrary to your allegation, my prior points did not summarize the >> way >> browser security currently works in every instance (e.g. XMLHttpRequest, >> SOP applied to client-side resources, etc), rather to point out a way it >> should work (in fact does work now! see below), if it was (is!) done >> optimally. And my analysis was only focused on the aspect of SOP applied >> specifically to browser network resource requests, i.e. when/should/does >> the browser restrict network resource requests to SOP. Please re-read >> the >> prior sentence a few times to remember the narrow focus. >> >> Also I humbly suggest that you remember that SOP is never an avoidable >> restriction for network script requests from the browser, because SOP is >> not applied to the <script> tag (oh maybe there is a case that I am not >> aware but it isn't common because I haven't seen it yet). So actually I >> was explaining how the browser works now with respect to <script>. Then >> I >> explained why that is optimal (in opposition to the current wrongheaded >> trend to move away from that, wrongheaded is proven factually below). I >> was explaining this in order to show that we do not need to apply SOP to >> WebSockets. I was NOT explaining how the ENTIRE browser security system >> works now. And I can assure you that my statements were correct and >> factual (notwithstanding any mis-interpretations, grammatical errors, >> and >> typos). >> >> 2. Your allegation that I am in conflict with Wikipedia is incorrect. >> Wikipedia has a section "Other approaches to CSRF": >> >> http://en.wikipedia.org/w/index.php?title=Cross-site_request_forgery&oldid=377197816#Other_approaches_to_CSRF >> >> I agree that those are valid vulnerabilities. Wikipedia is even saying >> that they are not exactly "CSRF". Rather than create a name for them >> (since Wikipedia is not allowed to create new things, only state what is >> already), they have no place to put those vulnerabilities, so they stuck >> them under a new name "Other approaches to CSRF". They are not CSRF >> exactly. It is up us experts to give those a proper category of their >> own >> with a name. I humbly suggest that you notice that CSRF contains the >> word >> "Request". I will understand if you didn't notice that word in the >> acronym, but then it would help if you did not speak as absolute >> authority >> or expert, when apparently you are failable. My point is that CSRF >> involves vulnerabilities that initiate from "Cross Site Request >> Forgery", >> and that means they must initiate from "Request Forgery", and the >> vulnerabilities in that section do not (as Wikipedia also states). >> >> When I wrote "disagree", I meant I disagree with them being >> characterized >> as "approaches to CSRF", because by the time the requests have been >> issued >> in those vulnerabities, then request itself is no longer cross origin >> (Cross Site). The request itself it not the vulnerability in those >> cases, >> but rather the injection method is the vulnerability with the request as >> a >> payload. As a cross origin security expert, I hope you can appreciate >> the >> distinction and offer me a little due respect for my astute observation. >> >> ======================= >> Now let's see if I can re-summarize the main thrust of my prior posts >> below, in order to coax some initial "a ha, that is what he meant" >> understanding from readers, that might motivate them to go back and >> re-read my prior posts to have new epiphenies. >> >> I am pointing out that all (cross site or same site or whatever) network >> requests from the browser can be classified into 2 types of >> vulnerabilities (ignoring vulnerabilities due to bugs in the browser or >> server itself). And be clear that I mean where the request itself is the >> vulnerability, not where the request was a payload of a prior >> vulnerability (avoiding conflation is critical for correct analysis). >> Those boil down to: >> >> #1 Hijacking user data in a request, or more generally any request that >> causes unintended side-effects on server state-machine. >> #2 Requesting malicious resources (e.g. scripts). >> >> Those 2 correspond to the prior 2 categories from my prior posts. >> >> #1 is mis-classified (by you "experts") to be a SOP problem, when in >> fact >> it is a bug in the server code. Any one who has any significant real >> world >> experience in web programming security (I have 13 years as hands on CTO >> with millions of users), knows that the server must always be secure >> from >> any possible state-machine of its inputs. To require the client to help >> the server be secure, is the antithesis of security. That is why I said >> the solution is for the browser to never rely on persistent data on the >> client, if it wants to be secure. That is just common sense. >> >> #2 afaik is not precisely categorized with any name. It falls I guess >> under the general term XSS, but I am being more specific and talking >> about >> the vulnerability of the request itself. I understand that not >> conflating >> vulnerability categories, is the first fundamental step that an expert >> researcher must do. With respect to the request vulnerability, there is >> no >> vulnerability if the origin which is doing the requesting does not >> choose >> to request untrusted resources. SOP is not the same as trusted. Yes the >> same origin is trusted, but it is not the only origin that might be >> trusted. To restrict #2 to SOP in all scenarios, is least common >> denominator and not optimal. I proposed an easily granular solution that >> would work very well in the marketplace. I am confident my solution will >> win and I plan on implementing it soon, unless someone can explain why I >> am wrong. >> >> Good day. >> >> >> >>> Shelby, >>> >>> You seem deeply confused about how browser security works. I'm sorry >>> that I don't have a good reference to offer you to help you sort out >>> your confusion. However, much of what you've written on this subject >>> is just plain incorrect. (By the way, disagreeing with Wikipedia >>> usually isn't the best way to convince others that your definitions >>> are widely accepted.) >>> >>> Adam >>> >>> >>> On Tue, Aug 17, 2010 at 10:07 AM, Shelby Moore <shelby@coolpage.com> >>> wrote: >>>>>> SOP = same origin policy >>>>>> >>>>>> I will phrase this generally for all potential protocols, not just >>>>>> HTTP. >>>>>> >>>>>> Status quo should remain, where "cookies" (i.e. any client-side >>>>>> persistent >>>>>> user data) are (at least by default) inaccessible if they were not >>>>>> created >>>>>> by *.domain of the current page (i.e. window.location.*). >>>>>> >>>>>> There are only two categories of SOP attacks (all attacks fall under >>>>>> these >>>>>> two): >>>>>> >>>>>> 1. Cross-domain requests where "cookies" for the domain, receiving >>>>>> the >>>>>> request, are automatically included in the request. >>>>>> >>>>>> 2. Cross-domain requests that load malicious resources (e.g. usually >>>>>> scripts) from foreign domain into current domain. >>>>> >>>>> >>>>> Clarify that to be "There are only two categories of SOP applicable >>>>> cross-domain attacks for accessing network resources (all such >>>>> attacks >>>>> fall under the above two)". >>>>> >>>>> Of course SOP still has to always apply to script access to the >>>>> client-side resources (e.g. to cookies, frames, etc). Someone could >>>>> argue >>>>> for more user trust granularity for client-side-resources SOP, but I >>>>> would >>>>> retort that it would be unreasonably complex for users to manage >>>>> N-tuples >>>>> of domains that are trusted with respect to each other. >>>>> >>>>> The reason #2 does not involve N-tuples complexity is because the >>>>> domain >>>>> of the current page is entirely in control of when it initiates >>>>> access >>>>> to >>>>> network resources. Whereas for client-side resources, the domain is >>>>> not >>>>> in control of when its resources are accessed-- the browser is the >>>>> gatekeeper. >>>> >>>> #1 is CSRF: >>>> >>>> http://en.wikipedia.org/w/index.php?title=Cross-site_request_forgery&oldid=377197816#Example_and_characteristics >>>> >>>> #2 is not XSS: >>>> >>>> http://en.wikipedia.org/wiki/Cross-site_scripting >>>> >>>> Rather #2 needs a name, perhaps XSSR(equests), since it is only >>>> concerned >>>> with vulnerabilities that derive when a malicious resource (script) is >>>> requested by the trusted domain. >>>> >>>> >>>> CSRF >>>> ==== >>>> When I wrote "'cookies' (i.e. any client-side persistent user data)", >>>> I >>>> put it in quotes and defined it broadly because I didn't mean only >>>> HTTP >>>> cookies. I meant any way for the server to have persistance with the >>>> client that would be used by the server to do side-effects, and that >>>> would >>>> include Flash LSO objects, DOM storage, IP address (if only storing or >>>> dislaying this is probably safe side-effects), etc.. And I disagree >>>> with >>>> Wikipedia in that don't think just having the server check Referrer >>>> closes >>>> the security hole. >>>> >>>> The following are not CSRF as I have defined CSRF above and attacks >>>> due >>>> other unrelated vulnerabilities (disagree with Wikipedia for >>>> conflating >>>> them with CSRF): >>>> >>>> http://en.wikipedia.org/w/index.php?title=Cross-site_request_forgery&oldid=377197816#Other_approaches_to_CSRF >>>> _______________________________________________ >>>> hybi mailing list >>>> hybi@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hybi >>>> >>> >>> >> >> > >
- [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Dave Cridland
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Salvatore Loreto
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore