IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Ian Hickson <ian@hixie.ch> Mon, 27 September 2010 08:18 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D16F93A6C94 for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 01:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.18
X-Spam-Level:
X-Spam-Status: No, score=-2.18 tagged_above=-999 required=5 tests=[AWL=-0.181, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTO+7ivdqeSs for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 01:18:15 -0700 (PDT)
Received: from homiemail-a52.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id A8F463A6C92 for <hybi@ietf.org>; Mon, 27 Sep 2010 01:18:15 -0700 (PDT)
Received: from homiemail-a52.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTP id C3AA36B80D7; Mon, 27 Sep 2010 01:18:53 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=hixie.ch; h=date:from:to:cc :subject:in-reply-to:message-id:references:mime-version: content-type; q=dns; s=hixie.ch; b=WrR4Q5WDGekjBr5ljNlzUS/JtTZj5 DNxRY93krzzFVSyHLzntqTCNZb3il3r25axLsmWWDZTTZHGyeTLvkFtqu0uNjutg vd7mOGjjT0YRyzO6i87nYBu88xq0nQXflIMv0Bl0/NjykltrvZppM604YR1AYxYr zyYFp+rQk1xB6w=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=hixie.ch; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version: content-type; s=hixie.ch; bh=T2IqGg3OrlhHnhgQRj/+IvD5tag=; b=R3R oTSbFPaL88shIDcAyQhu3aLaKL8oq6GpOIjcHPKtg1OHJK4d4ivT2rauQMYsPLl4 WfdnhvzNar1fuAdWl1gML5U95JFmAMrwU4q7kV4kB+B3xExOMLvVGxXqYmnyIoZz taDIPcEPoLsdnFIdrEfnOwRsjkVNX3R8FjvGXIVs=
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: internal@index.hixie.ch) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTPSA id BF3F86B80C4; Mon, 27 Sep 2010 01:18:53 -0700 (PDT)
Date: Mon, 27 Sep 2010 08:18:53 +0000
From: Ian Hickson <ian@hixie.ch>
To: Adam Barth <ietf@adambarth.com>
In-Reply-To: <AANLkTinRRX7GURvLvHAm5cNY2GXrAoRAEo9WW8S-Ae85@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1009270800050.3271@ps20323.dreamhostps.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com> <AANLkTim0R-cHCKiMw-zA7r+NrQbbiyM2xPLVm8G-shCx@mail.gmail.com> <AANLkTinRRX7GURvLvHAm5cNY2GXrAoRAEo9WW8S-Ae85@mail.gmail.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 08:18:16 -0000

On Sun, 26 Sep 2010, Adam Barth wrote:
>
> Your email appears to proceed from the assumption that the current 
> handshake is sufficiently robust to cross-protocol attacks.  That might 
> well be true.  However, I don't think we have any reasonable assurance 
> that it is true.  If we can't have reasonable assurance of the security 
> of the -76 handshake, then we certainly cannot have such assurance about 
> your handshake since it is strictly weaker.
> 
> On the other hand, we can be reasonably assured that the TLS+NPN 
> handshake resists cross-protocol attacks.  I provided a security 
> argument to that effect in an email a while ago.  No one has provided a 
> similarly detailed security analysis of the -76 handshake or of the 
> handshake that you propose.

As the designer of the "-76 handshake", I can confirm that while I am not 
aware of any attacks against it, and while it was designed to withstand 
all the attacks I knew of and to be resilient against the most obvious 
implementation errors, it is certainly not proven beyond a doubt that it 
is secure against anything that might be thrown at it.

As it stands, the handshake was a compromise between the competing needs 
of security in depth, fast time-to-market, and triviality of 
implementation. Since the latter two constraints are no longer as 
pressing, IMHO we should dial up the effort on the first. We can certainly 
do a much better job of having a handshake immune to current and future 
threats if we can take longer to do it and/or if we can do things that 
only have to be implemented a few times by more experienced engineers 
(e.g. if we can rely on crypto-level features like TLS).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.23.0 | Report a Bug | By Email