Re: [hybi] Different server semantics of CONNECT

[Eric Rescorla <ekr@rtfm.com>]

On Fri, Dec 3, 2010 at 11:52 PM, Greg Wilkins <gregw@intalio.com> wrote:

> On 3 December 2010 20:45, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> > On Fri, Dec 3, 2010 at 5:39 AM, Greg Wilkins <gregw@intalio.com> wrote:
> >> Eric,
> >>
> >> to put this another way, the paper produced the following results:
> >>
> >>  POST  handshake  + non-framed-date   15 vulnerable
> >>  GET-Upgrade + Non-framed-data             8 vulnerable
> >
> > I know Adam said that data isn't framed in the Upgrade experiment. I
> > don't buy it. If this is what they sent in the Upgrade experiment:
> >
> > GET /resource HTTP/1.1
> > Upgrade: WebSocket
> > ...
> > <CRLF>
> > GET /script.php/<random> HTTP/1.1
> > Host: target.com
> >
> > i.e. there is no non-http bytes between handshake and spoof requests,
> > then this is very similar to the POST experiment. The only major
> > difference is the Upgrade header.
> >
> > Yet in POST experiment, 1376 firewall circumvention attacks succeeded,
> > and in Upgrade experiment, only 1 succeeded. The two experiments are
> > done at the same time, over the same intermediaries, same parsers. How
> > can this be?
>
> Zong,
>
> well it's hard to know for sure unless Adam & Eric disclose.
>

Greg,




> I did ask if they framed the second request and Adam said no.
> It's true that it is not clear if the 8 random bytes are sent between
> the requests.
>
> It is certainly true that they did not send a hello frame with known
> unacceptable bytes.
>
> Is it true that the experiment was conducted over the same intermediaries
> etc?
>

The Flash and Java experiments were run in the same browsers, though even
then there is a fair amount of variation in which browsers you actually get
results from. This is all described in Section III(B)(2).

I'll have to check with Adam, but I believe the other handshakes were run
on the same browsers as well, because the number of impressions is
identical (54,534). However, as with the previous experiment, you don't
get the exact same of successful (i.e., completed execution) tests.



> If the experiments were conducted by ad placements, then it would be
> quasi random where the adverts were placed.  Actually it may be worse
> than that, as the advert system may track data about the advertisement
> and alter it's algorithm for where to display the advert over time,
> target pages and client source.   There could be large systematic
> variables in the experiment.
>

It's not clear to me why you think this would create a systematic error.
It's not like the ad network knows the results of the campaign; it just
gives you impressions.



> I really don't want to rain on Adam & Erics parade, as I think their
> work is really interesting and well worth doing.  It is just that
> without full disclosure of methods and data, I think it is impossible
> to understand their findings or fully support their conclusions.
>

As I said earlier when you said that the paper didn't have details, I
believe the
level of detail in this paper is consistent with the level of detail in
other experimental
papers and describes the steps necessary to replicate the experiment. But
of course like almost all papers this was written at the last minute and so
we
might have missed something.

What details is it you would like to know about that you think aren't
in the paper?

-Ekr