IETF Logo Mail Archive

Re: [hybi] Frame size

"Thomson, Martin" <Martin.Thomson@andrew.com> Mon, 19 April 2010 00:39 UTC

Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 373B33A6A22 for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 17:39:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.802
X-Spam-Level:
X-Spam-Status: No, score=-1.802 tagged_above=-999 required=5 tests=[AWL=0.797, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx+KEmLl4cGA for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 17:38:59 -0700 (PDT)
Received: from csmailgw1.commscope.com (csmailgw1.commscope.com [198.135.207.244]) by core3.amsl.com (Postfix) with ESMTP id 467673A6964 for <hybi@ietf.org>; Sun, 18 Apr 2010 17:38:59 -0700 (PDT)
Received: from [10.86.20.103] ([10.86.20.103]:31713 "EHLO ACDCE7HC2.commscope.com") by csmailgw1.commscope.com with ESMTP id S18318880Ab0DSAiu (ORCPT <rfc822; hybi@ietf.org>); Sun, 18 Apr 2010 19:38:50 -0500
Received: from SISPE7HC2.commscope.com (10.97.4.13) by ACDCE7HC2.commscope.com (10.86.20.103) with Microsoft SMTP Server (TLS) id 8.1.436.0; Sun, 18 Apr 2010 19:38:50 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC2.commscope.com ([fe80::58c3:2447:f977:57c3%10]) with mapi; Mon, 19 Apr 2010 08:38:33 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Ian Hickson <ian@hixie.ch>
Date: Mon, 19 Apr 2010 08:40:01 +0800
Thread-Topic: [hybi] Frame size
Thread-Index: AcrfVUHNUWwOp7RvQXa9vqthKuoPiwAANFHg
Message-ID: <8B0A9FCBB9832F43971E38010638454F03E7D067A9@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03E3F313ED@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004161940180.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0678C@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190009190.751@ps20323.dreamhostps.com>
In-Reply-To: <Pine.LNX.4.64.1004190009190.751@ps20323.dreamhostps.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw1.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Frame size
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 00:39:00 -0000

> > You could complicate this if you like.  Perhaps each "fixed" sequence
> is
> > based on the output of a pseudorandom sequence, the seed to which is
> > assigned in the handshake.
> 
> Do you have any concrete suggestions for how we could do this? I'm not
> sure I follow.

Handshake contains: WebSocket-FrameSeed: <seed>

The peer that sends this header uses the number as follows:

  var PRNG prng = new PRNG(seed);
  WS.prototype.sendFrame = function (data) {
    this.buffer.send(prng.getNextBits(WS.FRAME_MARKER_LEN), WS.FRAME_MARKER_LEN);
 
    this.buffer.send(WS.BINARY_FRAME, WS.FRAME_TYPE_LEN);

    var binary = UTF8.encode(data);
    this.buffer.send(binary.length, WS.FRAME_LENGTH_LEN);
    this.buffer.send(binary, binary.length);
 }

A receiver does the same, but uses the PRNG.getNextBits() to check that the frame was correctly terminated:

  if (this.buffer.read(WS.FRAME_MARKER_LEN) != prng.getNextBits(WS.FRAME_MARKER_LEN)) {
    // ERROR: drop connection, throw exception, etc...
  }  

> Assuming you are asking for a longer rationale for the current
> handshake,
> please search for "the rationale" in this message for an explanation:
> 
>    http://www.ietf.org/mail-archive/web/hybi/current/msg01607.html

You have an HTTP client that is being duped into contacting a WebSockets server.  I can understand that far, but I don't see what the attacker gains.  The scenario needs more details.

Invent a scenario for me.  How does this allow the attacker to gain the nuclear launch codes?

If this is as simple as a programmer forgetting the distinction between /Upgrade: foo/ and /^Upgrade: foo/, then we're back to disagreeing on the same old and tired topic.

--Martin

v2.23.0 | Report a Bug | By Email