Re: [hybi] Masking only Payload/Extension Data
Greg Wilkins <gregw@webtide.com> Wed, 09 March 2011 11:03 UTC
Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F16B3A68FE for <hybi@core3.amsl.com>; Wed, 9 Mar 2011 03:03:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.616
X-Spam-Level:
X-Spam-Status: No, score=-2.616 tagged_above=-999 required=5 tests=[AWL=0.361, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9IJf-mP0tBh for <hybi@core3.amsl.com>; Wed, 9 Mar 2011 03:03:38 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 525B13A681A for <hybi@ietf.org>; Wed, 9 Mar 2011 03:03:38 -0800 (PST)
Received: by vws6 with SMTP id 6so430637vws.31 for <hybi@ietf.org>; Wed, 09 Mar 2011 03:04:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.98.169 with SMTP id ej9mr3739536vdb.223.1299668617959; Wed, 09 Mar 2011 03:03:37 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.52.169.39 with HTTP; Wed, 9 Mar 2011 03:03:37 -0800 (PST)
In-Reply-To: <AANLkTimcTUYRMBA7XfYpbUNX26eup+oq2C3cL-q8+gf-@mail.gmail.com>
References: <AANLkTim7js6hPBMoEgmzr3gH-NuRYkEZ-pAePkgo=Q=L@mail.gmail.com> <AANLkTimcTUYRMBA7XfYpbUNX26eup+oq2C3cL-q8+gf-@mail.gmail.com>
Date: Wed, 09 Mar 2011 22:03:37 +1100
X-Google-Sender-Auth: T1g5LixXVC-Pw8lXeKiv1uvcXt4
Message-ID: <AANLkTi=uV_axB7bU2juczGp_gW1_ZPRXpVC1+01jrBO2@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: ifette@google.com
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 11:03:39 -0000
I'm +1 on the proposal. 2011/3/9 Ian Fette (イアンフェッティ) <ifette@google.com>: > Can someone please explain to me why this matters? modified from the earlier thread on this: Masked Frames PROS: + all bytes other than the key are masked. This prevents an attacker from using frame fields like the length to send "clear text" Masked Frame CONS: - Masking is not independent of framing - poor layered protocol design. ie this is the same reason that gzip in HTTP does not change the framing of HTTP messages. - all WS handling that needs to be aware of frame boundaries will need to implement masking. This will mean that more infrastructure will have masking hard coded into it, thus it will soon become very difficult, if not impossible to change framing as it will be baked into WS aware intermediaries. - Intermediaries that do not care about content will still need to unmask and remask the frames. - the parser/generator code for WS becomes more complex and asymmetric because it must implement masking for some WS streams but not for others. - unmasking cannot be done as single optimised pass over the data, but must be done on-the-fly in the parsing code. - the options for masking algorithms is limited. For example session based keys could not be used in a MUX environment as the session key would need to be known to access the extension data to know the stream ID, so the session ID could be known so you can't know the session key. While session based masking may not be desirable for other reasons, this limitation indicates a fundamental limitation of the masked frame approach. Mask in Frame PROS: + Masking is independent of framing. Good layered protocol design. + Intermediaries that do not process the payload will not need to implement masking. This saves CPU, memory and also will make it easier to change and/or remove masking in future. + WS parsing code is simple and symmetric. + session based masking algorithms can be used if desired + Can utilise the extension data space to carry the key - thus testing the implementation of the parsing of extension data length and preventing implementations assuming this will be zero. Mask in Frame CONS: - The frame op-code, flags and length are sent in the clear. Of these, an attacker has reasonable control over the length field, so could conceivably send 8 characters including "GET\n" as the length (although this would be very difficult to do via the current javascript API. There are also simple heuristic defences for this, such as fragmenting any frame that has a length that is all ascii and has a CR) In summary, mask in frame is far more flexible, low cost and demonstrable better design, at cost of exposing a very very unlikely subcase of an already very very unlikely vulnerability to an as of yet undiscovered threat, of which an exploitable variation is already in the wild using non ws clients.
- [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Patrick McManus
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Julian Reschke
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Salvatore Loreto