Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
Tobias Oberstein <tobias.oberstein@tavendo.de> Fri, 31 May 2013 08:27 UTC
Return-Path: <tobias.oberstein@tavendo.de>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FC021F901A for <hybi@ietfa.amsl.com>; Fri, 31 May 2013 01:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQjE6v6Jb7M4 for <hybi@ietfa.amsl.com>; Fri, 31 May 2013 01:27:37 -0700 (PDT)
Received: from EXHUB020-2.exch020.serverdata.net (exhub020-2.exch020.serverdata.net [206.225.164.29]) by ietfa.amsl.com (Postfix) with ESMTP id C764321F91CB for <hybi@ietf.org>; Fri, 31 May 2013 01:27:36 -0700 (PDT)
Received: from [149.172.148.89] (149.172.148.89) by smtpx20.serverdata.net (206.225.164.34) with Microsoft SMTP Server (TLS) id 8.3.264.0; Fri, 31 May 2013 01:27:35 -0700
Message-ID: <51A85EF9.3010907@tavendo.de>
Date: Fri, 31 May 2013 10:27:37 +0200
From: Tobias Oberstein <tobias.oberstein@tavendo.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Roberto Peon <fenix@google.com>
References: <CAH9hSJZxr+aG7GZa4f-dUOTGj4bnJ+3XxivUX4jei5CMyqN4LQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C319646@EXVMBX020-12.exch020.serverdata.net> <CAH9hSJYrrbSM3TTSKCQ=AMcwCfE4zqNAa1kuAvecrXZTLqy2gQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C3DA774@EXVMBX020-12.exch020.serverdata.net> <CAHixhFrTk79A07BjQCgvep_+bmA4rGG1ZvqmoS6gsQYNPyPoZA@mail.gmail.com> <CAH9hSJYFa+bqN=e7x87W+Xvq-st70nbzUXniQaPme2fzspCjWA@mail.gmail.com> <51A70DF9.5010601@tavendo.de> <CAGzyod6daSOvAVHU6B=Qr0xDqNca_8iXrFYr0gTGdqZPryFFpA@mail.gmail.com>
In-Reply-To: <CAGzyod6daSOvAVHU6B=Qr0xDqNca_8iXrFYr0gTGdqZPryFFpA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 08:27:44 -0000
> The way CRIME works is to have a 3rd party include links to the > site-to-attack. Thus it doesn't matter if the schemes are http, https, > ws, wss, whatever. Does above refer to the general requirement for CRIME: the attacker must be able to inject data into the source material before it is compressed and then encrypted? If so, how would that be possible with WebSocket and the proposed WebSocket per-message compression? random thoughts: a) permessage-deflate only compresses WS data messages, not control frames. So the attacker would need to inject data into the app-level payload. The only way to send app-level payload in browsers if via the JavaScript WebSocket API (socket.send()). So the attacker would need to somehow modify this JS code. However, the origin of the JS running is (at least with browsers) sent during the WS opening handshake as a HTTP header, and a WS server can check and decline an incoming connection. b) With WS HTTP headers are only sent _once_: during the initial WS opening handshake, and by the client to the server. CRIME requires repeated injection of attacker data. More so: permessage-deflate does not touch the opening handshake, which remains uncompressed. Side Q: Do browsers reuse an established TLS/TCP connection for multiple WS connections? /Tobias
- [hybi] Call for interest: multiplexing dedicated … Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Bruce Atherton
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Arman Djusupov
- Re: [hybi] Call for interest: multiplexing dedica… Salvatore Loreto
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Salvatore Loreto
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Joakim Erdfelt
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Bruce Atherton
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Arman Djusupov
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Adam Rice
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Adam Rice
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein