IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Greg Wilkins <gregw@webtide.com> Wed, 01 September 2010 09:28 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2896B3A6784 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 02:28:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.757
X-Spam-Level:
X-Spam-Status: No, score=-1.757 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dv2Qrviykieh for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 02:28:09 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id D13273A6783 for <hybi@ietf.org>; Wed, 1 Sep 2010 02:28:08 -0700 (PDT)
Received: by fxm18 with SMTP id 18so5215046fxm.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 02:28:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.239.165.7 with SMTP id v7mr492455hbd.110.1283333318424; Wed, 01 Sep 2010 02:28:38 -0700 (PDT)
Received: by 10.239.186.139 with HTTP; Wed, 1 Sep 2010 02:28:38 -0700 (PDT)
In-Reply-To: <AANLkTikS7L_04HDAsL6t+FrHZKVXQN2Gx1gmjh4gYLcb@mail.gmail.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com> <4C7C746F.1040006@isdg.net> <4C7D2B74.8030702@caucho.com> <4C7D5B20.9030503@isdg.net> <4C7DAECB.7050905@caucho.com> <AANLkTikS7L_04HDAsL6t+FrHZKVXQN2Gx1gmjh4gYLcb@mail.gmail.com>
Date: Wed, 01 Sep 2010 19:28:38 +1000
Message-ID: <AANLkTik3joD9ZKk8gtt5Nwa9kX0FpyGd6ZGc-G6yUPOc@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: ifette <ifette@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 09:28:10 -0000

2010/9/1 Ian Fette (イアンフェッティ) <ifette@google.com>:
> On Tue, Aug 31, 2010 at 6:39 PM, Scott Ferguson <ferg@caucho.com> wrote:
>> Or at least, I think that's what the protocol is trying to do. To me, it
>> looks like a security -through-confusion protocol hacked together by someone
>> with little security experience, who believes that a complicated, confusing
>> protocol is more secure than a straightforward one. If no one can understand
>> it, no one can attack it, I guess. That's just what it looks like to me.
>
> While I can appreciate that you may not care for the complexity of the
> handshake, I would ask that you please not attack the experience of the
> people involved in its design. Critiques of the protocol are certainly
> welcome, but I don't think personal attacks are appropriate.

Ian,

I think I can rephrase Scott's concerns as a non personal attack.

The current handshake contains a number of unusual security features
that I do not think have had the rigorous analysis that such security
algorithms deserve.

The algorithm encodes 2 random integers as decimal digits randomly
interspersed with other characters and spaces.  The algorithm requires
the characters to be ignored, the spaces to be counted and the number
to be divided by the number of spaces.

Dividing a random number by another random number generated from the
same random number generator can have unexpected numeric effects. I
have previously experienced a problem with a random session ID where
an attempt to "improve" a 32 bit random number by mixing in some salt
and applying another random number from the same generator actually
significantly reduced the search space.  An exploit was developed that
give 3 session ID, a bit of brute force calculation and you could
predict the next session with 1 in 48 accuracy. I fear that this
algorithm, combined with a poor random number generator, may similarly
be vulnerable, specially as the random characters and spaces will
reveal more information about the internal state of the generator.

The space counting is to protect against injection, but is not
required if the nonce is generated after the path is passed to the
websocket client. I simply don't understand the justification given in
the specification for the random characters interspersed with the
numbers.

My counter proposal is that the nonce is sent simply as hex number in
the header.  Since these numbers are generated after the path is
passed to the websocket client, they cannot be predicted and thus
cannot be injected.

Are there any problems with this simpler approach?

regards

v2.23.0 | Report a Bug | By Email