Re: [hybi] Handshake was: The WebSocket protocol issues.

[Willy Tarreau <w@1wt.eu>]

On Wed, Sep 29, 2010 at 05:58:40PM +1000, Greg Wilkins wrote:
> On 29 September 2010 09:50, Maciej Stachowiak <mjs@apple.com> wrote:
> 
> >> + Reliance on the browser not treating the 101 response as an error.
> >> + The inability to read the ping frame after the 101 response.
> >
> > The threat model I described involves an attack on integrity, not confidentiality, so these two defenses do no good.
> >
> > In other words, the threat model is that the attacker sends commands with side effects that it shouldn't be able to, and doesn't care about reading the response.
> 
> This would rely on a WS server taking an undesirable side effect on
> the basis of a partially negotiated WS connection.
> If such a server was written, surely it would be vulnerable to any WS
> client and thus this is not a cross protocol issue, just
> a poorly written server.   More importantly, is there anything about a
> raw HTTP request that cannot be done in a normal WS upgrade request
> that is likely to trigger such a side effect?

I'd push the reasoning further : the WS server must be as reliable as
HTTP servers, and must not rely on WS clients behaviour to remain safe.
Many HTTP requests these days are forged and come from botnets. We can
be sure that when WS-aware servers become common, we'll also see forged
WS requests everywhere. The fact that the server challenges the client
will at least get rid of most of the stupid attacks which consist in
always sending the same forged patterns.

But once we consider we have smart clients, HTTP and WS will simply be
on the same scale.

Willy