Re: [hybi] Masking only Payload/Extension Data
Adam Barth <ietf@adambarth.com> Thu, 10 March 2011 11:30 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76BA73A6921 for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 03:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSxyx3LSeIgF for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 03:30:00 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 2F83F3A690F for <hybi@ietf.org>; Thu, 10 Mar 2011 03:30:00 -0800 (PST)
Received: by yxk30 with SMTP id 30so813489yxk.31 for <hybi@ietf.org>; Thu, 10 Mar 2011 03:31:17 -0800 (PST)
Received: by 10.236.191.3 with SMTP id f3mr1082835yhn.143.1299756677536; Thu, 10 Mar 2011 03:31:17 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id k29sm2048724yhk.14.2011.03.10.03.31.15 (version=SSLv3 cipher=OTHER); Thu, 10 Mar 2011 03:31:16 -0800 (PST)
Received: by iyj8 with SMTP id 8so1805809iyj.31 for <hybi@ietf.org>; Thu, 10 Mar 2011 03:31:15 -0800 (PST)
Received: by 10.42.159.201 with SMTP id m9mr8551696icx.244.1299756675064; Thu, 10 Mar 2011 03:31:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.10.200 with HTTP; Thu, 10 Mar 2011 03:30:45 -0800 (PST)
In-Reply-To: <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
References: <4D77B885.5050109@callenish.com> <OF36FEDDC6.06951577-ON8825784E.0062343E-8825784E.0066AC27@playstation.sony.com> <AANLkTinau4g1pB_ccJ31u7WRi5npYtHvXE5YRn5uTbeV@mail.gmail.com> <AANLkTikB4YeaYiF_NVGn61c1YxpNWbmEWQZu1WcN+=Jf@mail.gmail.com> <1299704939.2606.238.camel@ds9.ducksong.com> <20110309214212.GA29190@1wt.eu> <AANLkTi=i=8aWg=6+T7=Kn5dWeKkW6MYVCH_CuNkt_ZMM@mail.gmail.com> <AANLkTimip9o0RoZaBfONCmg5nuJVWXjOKDKgAt8zrNVV@mail.gmail.com> <AANLkTikbFBeM6+hiURSBqxFyjc2Wc-yh8UJnZiO+U0JX@mail.gmail.com> <20110310103914.GA32389@1wt.eu> <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 10 Mar 2011 03:30:45 -0800
Message-ID: <AANLkTima5VM+CUq1eN4tWYAkpHENt5wKDwtvyWO6ZQbs@mail.gmail.com>
To: Joel Martin <hybi@martintribe.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 11:30:01 -0000
Thanks for having an open mind Joel. Let's start with some basic assumptions: 1) Attacks only get better over time. Over the (hopefully) many years folks will be using this protocol, the attacks we know about today will continue to exist, and security researchers will continue to learn more techniques and improve their attacks. That means we should design protocols with a margin of safety rather than pushing up against the razor edge of what we can reliably exploit today. Admitted, this aspect of security is somewhat of an art, and at some point we'll need to defer to the judgement of security experts as to how much of a margin we need for safety. 2) If an attacker can choose a moderately long sequence of bytes of the wire, we lose. More specifically, we can construct attacks today that abuse certain configurations of proxies using a moderate length of chosen bytes. Because of (1), we should expect the length of these sequences and the amount of damage attacker can cause with them to increase over time. The story would be different if we had some solid reasoning about lower bounds on length or upper bounds on damage, but we don't. For simplicity, let's consider the base framing protocol: http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-06#section-4.3 Let's assume we're only going to mask the extension data and the application data. That leds approximately 10 bytes at the beginning of the frame that's unmasked. Are these bytes under the control of the attacker? In large part, they are. For example, the attacker is relatively free to select the payload length. The attacker is also likely to have a large amount of control over the opcode (recall that the attacker can drive the protocol state machine into relatively arbitrary states). As for the various reserved bits, we don't know very much about how these bits will be used, but if they're likely to be at least partially under the influence of the attacker. Worse, consider the case where the attacker sends a sequence of very short (e.g., zero or one byte) messages. Now the attacker can control (or can strongly influence) an appreciable fraction of the bytes on the wire. Additionally, the attacker gets feedback (i.e., by seeing the bytes that arrive at the server) and can dynamically adjust subsequent messages based on this feedback. So, does the above add up to an attack I can demonstrate today? No. Is there reasonable evidence that attackers will be able to stich together the above weaknesses to construct an attack in the future? Yes. Given what we know today, my view is that not masking the entire frame is an unacceptable level of risk. Adam On Thu, Mar 10, 2011 at 3:05 AM, Joel Martin <hybi@martintribe.org> wrote: > I've been following this discussion pretty closely and I'm willing to change > my mind if Adam (or somebody else) can clearly lay out a threat model that > isn't easily addressed by minor tweaking. I really am interested in what > real threat may exist and not just being stubborn. Please enlighten me. > As somebody else has proposed, the allowable range of values in the length > field can always be reduced in the future by fragmenting to avoid _specific_ > known vulnerable intermediaries (in the implementations without even > changing the protocol). I.e. if "GET\n" is a problem, then client > implementations can just never send that value. > I suspect most would agree that masking of everything is better than > stalling the protocol any longer, but if Adam is the only objector and the > browser folks are okay with masking only payload then perhaps we should move > forward with it. > Joel Martin (kanaka) > On Thu, Mar 10, 2011 at 1:39 PM, Willy Tarreau <w@1wt.eu> wrote: >> >> On Thu, Mar 10, 2011 at 02:25:28AM -0800, Brian wrote: >> > By my count, we have six voices in favor so far, including myself: >> > Andy Green >> > Ytaka Takeda >> > Greg Wilkins >> > Willy Tarreau >> > Joel Martin >> > Brian McKelvey >> > >> > One on record as not having a strong opinion one way or the other: >> > Ian Fette >> > >> > And one opposed: >> > Adam Barth >> > >> > >> > Adam's curt and patronizing reply is once again unenlightening as to >> > any viable reason why we need to mask the frame header as well as the >> > payload, beyond just his gut feeling on the matter. I'd like to >> > re-assert that since the only field under a potential hacker's control >> > is the length (and potentially rsv bits via undefined extensions in >> > the future) that the practical possibility of the frame header being >> > used for an attack that actually accomplishes anything is so remote >> > it's utterly laughable. >> >> I'd like to add that it's important to remember that this controllable >> length is not even at the beginning of the frame, and that there are >> uncontrollable bytes before. >> >> Regards, >> Willy >> >> _______________________________________________ >> hybi mailing list >> hybi@ietf.org >> https://www.ietf.org/mailman/listinfo/hybi > > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi > >
- [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Patrick McManus
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Julian Reschke
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Salvatore Loreto