IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Adam Barth <ietf@adambarth.com> Wed, 01 September 2010 04:59 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 526FF3A6A2E for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 21:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[AWL=-0.133, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wLeTYmrweusm for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 21:59:53 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id 857C03A6A26 for <hybi@ietf.org>; Tue, 31 Aug 2010 21:59:53 -0700 (PDT)
Received: by gxk20 with SMTP id 20so3425833gxk.31 for <hybi@ietf.org>; Tue, 31 Aug 2010 22:00:23 -0700 (PDT)
Received: by 10.151.63.30 with SMTP id q30mr2700509ybk.154.1283317223721; Tue, 31 Aug 2010 22:00:23 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id e7sm382348ybe.16.2010.08.31.22.00.21 (version=SSLv3 cipher=RC4-MD5); Tue, 31 Aug 2010 22:00:22 -0700 (PDT)
Received: by iwn3 with SMTP id 3so7120879iwn.31 for <hybi@ietf.org>; Tue, 31 Aug 2010 22:00:21 -0700 (PDT)
Received: by 10.231.179.24 with SMTP id bo24mr8280814ibb.193.1283317221215; Tue, 31 Aug 2010 22:00:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.187.218 with HTTP; Tue, 31 Aug 2010 21:59:51 -0700 (PDT)
In-Reply-To: <4C7DAECB.7050905@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com> <4C7C746F.1040006@isdg.net> <4C7D2B74.8030702@caucho.com> <4C7D5B20.9030503@isdg.net> <4C7DAECB.7050905@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 31 Aug 2010 21:59:51 -0700
Message-ID: <AANLkTinv-mkMD4LkEZaqmYOjLNBBQ5QHDJHVZ9R=VMyp@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 04:59:54 -0000

On Tue, Aug 31, 2010 at 6:39 PM, Scott Ferguson <ferg@caucho.com> wrote:
> a) To validate the server as websocket server (as opposed to a SMTP server),
> the client creates a securely-generated random nonce, c_nonce and sends it
> in C1. The server sends back a hash in S2, like H(c_nonce, "WebSocket").
> Since no server other than a websocket server will generate that hash,
> you've verified that the server is a websocket server.

This assumption is not correct.  Consider, for example, a protocol
like DNS or an HTTP proxy where the attacker is given some control
over the server's response.  We have no guarantee that S2 was actually
generated by the server and not by some other entity and just relayed
by the server.

Adam

v2.23.0 | Report a Bug | By Email