IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Tue, 28 September 2010 16:38 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DFCE3A6BA7 for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 09:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.536
X-Spam-Level:
X-Spam-Status: No, score=-2.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntO6QcLmZwQ1 for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 09:38:10 -0700 (PDT)
Received: from smtp111.biz.mail.mud.yahoo.com (smtp111.biz.mail.mud.yahoo.com [209.191.68.76]) by core3.amsl.com (Postfix) with SMTP id 56DF63A6AB3 for <hybi@ietf.org>; Tue, 28 Sep 2010 09:38:10 -0700 (PDT)
Received: (qmail 58085 invoked from network); 28 Sep 2010 16:38:45 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp111.biz.mail.mud.yahoo.com with SMTP; 28 Sep 2010 09:38:45 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: 1DceFrkVM1mS7jZvjTPnBTUeyDQeDn38EvwfxGBuG_HtyaW VPO3zIBuiQxcLoXOfCKAbluQC80j6kS0cGpc8yhsmhmvfYgIsVYP8P7MGad5 I5CxKZck1MG02P2VaG_0GAJeU8xTOJXqqsr6CTuskwcxvE8hKaKAtosCaFnt GrJjBxYaAb.hF11gP.l68bpsM6KpinXypp.AdgPLVmeh5mFGQfn1qxnMdz2R NKtZBa4GRtr03fn3Sz0KWbh3PoCKbQQbn7i9aQt5PecOnI4ONdUnbBj8sL0u x9L5pFmFoToR4pdl93K_WSQ--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CA21A0F.2030608@caucho.com>
Date: Tue, 28 Sep 2010 09:38:39 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Maciej Stachowiak <mjs@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <F1C112EC-28AB-4CE2-9208-2517077E5EC2@apple.com>
In-Reply-To: <F1C112EC-28AB-4CE2-9208-2517077E5EC2@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 16:38:11 -0000

Maciej Stachowiak wrote:
> On Sep 27, 2010, at 10:13 AM, Scott Ferguson wrote:
>
>   
>> With that modification, the client does not send websocket data until the server has been validated as a websocket server, and the server does not process websocket data until the client has been validated as a websocket client. (There's no need for a S4 "pong" packet since the server is already validated as websocket when the client validates S2.) That protocol is pretty much the minimum required, and doesn't add overhead beyond the current handshake.
>>     
>
> Yes, I think that would be stronger in the scenario I describe, but it would be highly vulnerable to a bad RNG on the server, in part because the final authentication of the client does not involve the c-nonce at all.
>   

But that weakness is fundamental to all authentication. If keys or 
nonces can be predicted because they're not random, then you're always 
vulnerable to replay attacks. That issue is not specific to any 
particular protocol/handshake; it applies to all of them.

> More generally, I am not 100% confident that this approach will hold up in the long term against novel attacks.
>   

That's not really a point.

Since nonce/hash as authentication is a well-known pattern, it's 
potential vulnerabilities are also well-known. The issue of novel 
attacks would be more of a problem with a new security pattern, which is 
why sticking to the old patterns is generally a good idea.

>   
>> I'd propose two additional changes that aren't required, strictly speaking, but would be helpful for other security-related reasons:
>>
>> 1. Use "WEBSOCKET" instead of "GET" as the HTTP method. This is helpful because it lets validating servers quickly reject websocket requests (e.g. well-behaved HTTP servers), and lets server administrators use existing security frameworks (which are often HTTP method based), to specify websocket security easily. With the current "GET", it's somewhat of a problem for a server administrator to specify a different policy for GET vs websockets.
>>
>> 2. Use a new AUTH or HELLO opcode/packet for the C3 hash instead of overloading PING. This would make the packet's purpose clear and give a space for any future challenge-based authentication to put its credentials in a future spec extension. (I'd recommend any authentication extension/C3-payload use HTTP style authentication headers so the extension could just use existing security handshakes.)
>>     
>
> #1 seems like an improvement, but #2 doesn't seem to give any security benefit.
>   

#2 is certainly a security benefit for servers. If a server provides a 
non-browser service, it needs the ability to authenticate. That should 
be an obvious security need.

>> No, it's different from -76, because the properties of the nonce/hash pattern are well known. The flaw with -76 is just what you describe: it's inventing new security patterns and is likely to have complicated flaws. Sticking to a well-known pattern is the right way to go.
>>     
>
> Nonce/hash is a well-known mechanism. But I do not believe there is a lot of knowledge on using it as a defense against cross-protocol attacks. Generally it is used as part of a challenge-response mechanism for authentication purposes, but authentication is not the goal here. There is no shared secret or public-private keypair involved.
>   

Authentication is the goal here. The whole point of defeating a 
cross-protocol attack is authenticating both the client and the server 
as implementing the correct protocol. Once you've validated both sides 
as implementing websockets, then any attack is no longer a 
cross-protocol attack.

The shared "secret" is the "WebSocket" value in the hash. For server 
authentication, H(c-nonce, "WebSocket"), only a websocket server will 
ever produce that hash because on a websocket server has that "secret". 
SMTP cannot produce that response because it don't have that secret (and 
doesn't produce hashes at all, of course.)

-- Scott

> Regards,
> Maciej
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email