IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 09 October 2010 01:24 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DA3E3A6407 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.843
X-Spam-Level:
X-Spam-Status: No, score=-2.843 tagged_above=-999 required=5 tests=[AWL=-0.244, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpnfqnHIsoFd for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:24:37 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 916133A63C9 for <hybi@ietf.org>; Fri, 8 Oct 2010 18:24:36 -0700 (PDT)
Received: (qmail invoked by alias); 09 Oct 2010 01:25:41 -0000
Received: from dslb-094-223-184-138.pools.arcor-ip.net (EHLO hive) [94.223.184.138] by mail.gmx.net (mp056) with SMTP; 09 Oct 2010 03:25:41 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX19o/KFPOJFocDeUQUCzHaU3SlLpMxm7T6BjAkF2zV WG1fgY7Db401l+
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Sat, 09 Oct 2010 03:25:37 +0200
Message-ID: <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de>
References: <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com>
In-Reply-To: <4CAFBD75.4020004@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 01:24:38 -0000

* Scott Ferguson wrote:
>And even if this were all possible, the browser could now ...
>
>... wait for it ...
>
>... make HTTP requests to a HTTP server using websockets instead of the 
>browser's HTTP client.

By now there are quite a number of handshake proposals floating around,
but if a single response is sufficient to make the web browser consider
the connection to have been upgraded to a Websocket connection, and the
framing allows to make frames that look like HTTP requests, and last I
checked "DELETE..." was a properly formed frame (though that relied on
the browser setting a flag that is currently reserved), then this setup
would allow attackers do to things they currently cannot do, as browsers
excercise considerable control over what requests a possibly malicious
web site can trigger for an unrelated site.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email