IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 09 October 2010 01:08 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 439CA3A69A1 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvzUEoZYnP5v for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:07:59 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.23]) by core3.amsl.com (Postfix) with SMTP id 896003A698F for <hybi@ietf.org>; Fri, 8 Oct 2010 18:07:58 -0700 (PDT)
Received: (qmail invoked by alias); 09 Oct 2010 01:09:03 -0000
Received: from dslb-094-223-184-138.pools.arcor-ip.net (EHLO hive) [94.223.184.138] by mail.gmx.net (mp065) with SMTP; 09 Oct 2010 03:09:03 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX186Zkoemuc6hufMAnLVJS5m1n+T6cz/MuV2JAQ2oh 42xyYSrGHiBGT4
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Sat, 09 Oct 2010 03:08:59 +0200
Message-ID: <0peva6lqb609qj00in1oavnduas0o3bod5@hive.bjoern.hoehrmann.de>
References: <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com>
In-Reply-To: <4CAFB9C4.6030905@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 01:08:05 -0000

* Scott Ferguson wrote:
>To consider the original scenario, do you think the case where the 
>attacker's PHP script is on the same physical and virtual machine as the 
>target is something WebSockets needs to address? Or that the shared 
>machine configuration is already so compromised that complicating 
>WebSockets to address that scenario adds no real value.
>
>Your proxy case needs to be considered separately, because a proxied 
>attacker has less power over the web server than a PHP script on the 
>same server does.

I believe that if the latter case is addressed, then the former case is
no longer possible (if you consider the web server the browser attempts
to connect with a black box then they are really identical). I do think
in the former case an attacker will try many other things first. Note
that the attacker would only attempt this if the user knows something,
or can represent something, the attacker does not or cannot, like ensure
the request is coming from a particular IP address. Otherwise he could
just send whatever bytes to the server he feels like sending.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email