IETF Logo Mail Archive

Re: [hybi] Redesigning the Web Socket handshake

Maciej Stachowiak <mjs@apple.com> Wed, 03 February 2010 07:53 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AADDF3A6948 for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 23:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.407
X-Spam-Level:
X-Spam-Status: No, score=-106.407 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcktJfK1Ta-E for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 23:53:24 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id AD7DA3A68FE for <hybi@ietf.org>; Tue, 2 Feb 2010 23:53:24 -0800 (PST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out3.apple.com (Postfix) with ESMTP id 4C232833EF17 for <hybi@ietf.org>; Tue, 2 Feb 2010 23:54:06 -0800 (PST)
X-AuditID: 11807137-b7bd4ae000000f0d-66-4b692b9e4de3
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay16.apple.com (Apple SCV relay) with SMTP id C6.13.03853.E9B296B4; Tue, 2 Feb 2010 23:54:06 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.86.222] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX900AEZ9Y5E310@et.apple.com> for hybi@ietf.org; Tue, 02 Feb 2010 23:54:06 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <5c902b9e1002022237x1a7da5e6pd2b7d1ec7d95581e@mail.gmail.com>
Date: Tue, 02 Feb 2010 23:54:05 -0800
Message-id: <B957B028-1B73-4E14-A529-8B17825A71A8@apple.com>
References: <Pine.LNX.4.64.1002012305000.21600@ps20323.dreamhostps.com> <4B676E8C.70804@webtide.com> <Pine.LNX.4.64.1002020311030.3846@ps20323.dreamhostps.com> <4B679E2C.2080502@webtide.com> <FD440FEA-9F53-4F4C-8AA5-98B23318F0F7@apple.com> <5c902b9e1002021431w25768b2eu4e21244f080bed25@mail.gmail.com> <9A862D96-FD32-4532-BDBE-AAC5C82DB954@apple.com> <5c902b9e1002022237x1a7da5e6pd2b7d1ec7d95581e@mail.gmail.com>
To: Justin Erenkrantz <justin@erenkrantz.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Redesigning the Web Socket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 07:53:25 -0000

On Feb 2, 2010, at 10:37 PM, Justin Erenkrantz wrote:

> On Tue, Feb 2, 2010 at 9:22 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>> Let me start by laying out the security risks in the current handshake. Then I will explain my proposed change and how I believe it addresses them.
> 
> Thanks!  For the security stuff, I think it's best if I ponder that
> for a few days to see if I can grok where the risks are.  In the
> meantime, there is one point that I'd like to ask clarification on:
> 
>> To give a concrete example, consider a chat service over WebSocket. Let's say it doesn't check correctness of the handshake, and does authentication in-band. An attacker could construct an HTTP POST body which would look like an authentication message plus a couple of submitted sent messages. True, the attacker cannot read the victim's chat messages, but could send chat messages as the victim. Clearly this would be a significant security breach.
> 
> I am trying to understand how a properly implemented WS or HTTP server
> would fall into this trap.  For httpd, this would not be feasible -
> the code that parses request bodies isn't the same that handles the
> protocol.

A standalone WebSocket server could, per the WebSocket protocol draft, do no validation whatsoever of the WebSocket request handshake. I believe it would be completely conforming to skip until it sees two newlines in a row and start reading messages. Well, not quite - there seems to be a should-level requirement to abort if the third token of the first line does not contain a "/" character.

http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-74#section-5.2

A recent change also adds that "If a server reads fields for authentication purposes ... then the server should also verify that the client's handshake includes the invariant "Upgrade" and "Connection" parts of the handshake".

This is an improvement, but I think it should be a MUST not a should, and should be a requirement for all WebSocket servers. The spec also does not say that a WebSocket server MAY disconnect from the client if it finds the client handshake is invalid in any way other than lacking a "/".

A WebSocket module for an HTTP server would be less likely to fail to validate the handshake at all. However, whether the HTTP server would pass off invalid requests to a WebSocket module depends on how exactly it does dispatch. If it dispatches to the WebSocket module based on the relevant Connection and Upgrade headers, then it can't be tricked by XHR. But if it dispatches based on the path in the request, then it could pass a non-WebSocket request to the WebSocket module. In that case, if the WebSocket module doesn't do checking, it is similarly vulnerable.


>  I'm trying to think of any real server implementations that
> would attempt to process an HTTP body that also includes "fake"
> requests (but in a different protocol).  Maybe there's a bit of
> crafting that I'm just not seeing...

The HTTP body wouldn't "also" include fake requests, it would *just* include fake requests. The HTTP header of the HTTP request itself might be enough to fool a client that did nothing but check for "/" and skip until it finds two newlines. And after that, you can have well-formed WebSocket messages in the HTTP body.

> 
>> We could mitigate both of these risks, and also reduce the implementation difficulty for servers and proxies, by changing the handshake. We would remove the requirement for newlines or exact capitalization of the headers. Instead, we could have the browser generate a unique random nonce, which it includes in the handshake request. The server would be required to read it, and respond with a hash of the nonce value.
> 
> While I'm not 100% sold on the security rationale for nonce yet (still
> pondering it), at the least, the nonce is pretty straightforward to
> implement - so, I could certainly be willing to admit I have a blind
> spot there and go with the nonce if it means I can implement this in
> httpd in an otherwise-straightforward manner.

Thanks, that's useful feedback.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email