IETF Logo Mail Archive

Re: [hybi] Masking only Payload/Extension Data

Greg Wilkins <gregw@webtide.com> Wed, 09 March 2011 11:03 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F16B3A68FE for <hybi@core3.amsl.com>; Wed, 9 Mar 2011 03:03:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.616
X-Spam-Level:
X-Spam-Status: No, score=-2.616 tagged_above=-999 required=5 tests=[AWL=0.361, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9IJf-mP0tBh for <hybi@core3.amsl.com>; Wed, 9 Mar 2011 03:03:38 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 525B13A681A for <hybi@ietf.org>; Wed, 9 Mar 2011 03:03:38 -0800 (PST)
Received: by vws6 with SMTP id 6so430637vws.31 for <hybi@ietf.org>; Wed, 09 Mar 2011 03:04:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.98.169 with SMTP id ej9mr3739536vdb.223.1299668617959; Wed, 09 Mar 2011 03:03:37 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.52.169.39 with HTTP; Wed, 9 Mar 2011 03:03:37 -0800 (PST)
In-Reply-To: <AANLkTimcTUYRMBA7XfYpbUNX26eup+oq2C3cL-q8+gf-@mail.gmail.com>
References: <AANLkTim7js6hPBMoEgmzr3gH-NuRYkEZ-pAePkgo=Q=L@mail.gmail.com> <AANLkTimcTUYRMBA7XfYpbUNX26eup+oq2C3cL-q8+gf-@mail.gmail.com>
Date: Wed, 09 Mar 2011 22:03:37 +1100
X-Google-Sender-Auth: T1g5LixXVC-Pw8lXeKiv1uvcXt4
Message-ID: <AANLkTi=uV_axB7bU2juczGp_gW1_ZPRXpVC1+01jrBO2@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: ifette@google.com
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 11:03:39 -0000

I'm +1 on the proposal.

2011/3/9 Ian Fette (イアンフェッティ) <ifette@google.com>:
> Can someone please explain to me why this matters?


modified from the earlier thread on this:

Masked Frames PROS:
 + all bytes other than the key are masked.  This prevents an attacker
from using frame fields like the length to send "clear text"

Masked Frame CONS:
 - Masking is not independent of framing - poor layered protocol design.
ie this is the same reason that gzip in HTTP does not change the framing
of HTTP messages.
 - all WS handling that needs to be aware of frame boundaries will
need to implement masking.  This will mean that more infrastructure
will have masking hard coded into it, thus it will soon become very
difficult, if not impossible to change framing as it will be baked
into WS aware intermediaries.
 - Intermediaries that do not care about content will still need to
unmask and remask the frames.
 - the parser/generator code for WS becomes more complex and
asymmetric because it must implement masking for some WS streams but
not for others.
 - unmasking cannot be done as single optimised pass over the data,
but must be done on-the-fly in the parsing code.
 - the options for masking algorithms is limited.  For example session
based keys could not be used in a MUX environment as the session key
would need to be known to access the extension data to know the stream
ID, so the session ID could be known so you can't know the session
key.   While session based masking may not be desirable for other
reasons, this limitation indicates a fundamental limitation of the
masked frame approach.



Mask in Frame PROS:
 + Masking is independent of framing.   Good layered protocol design.
 + Intermediaries that do not process the payload will not need to
implement masking. This saves CPU, memory and also will make it easier
to change and/or remove masking in future.
 + WS parsing code is simple and symmetric.
 + session based masking algorithms can be used if desired
 + Can utilise the extension data space to carry the key - thus
testing the implementation of the parsing of extension data length and
preventing implementations assuming this will be zero.

Mask in Frame CONS:
 - The frame op-code, flags and length are sent in the clear.  Of
these, an attacker has reasonable control over the length field, so
could conceivably send 8 characters including "GET\n" as the length
(although this would be very difficult to do via the current
javascript API.  There are also simple heuristic defences for this,
such as fragmenting any frame that has a length that is all ascii and
has a CR)


In summary,   mask in frame is far more flexible, low cost and
demonstrable better design, at cost of exposing a very very unlikely
subcase of an already very very unlikely vulnerability to an as of yet
undiscovered threat, of which an exploitable variation is already in
the wild using non ws clients.

v2.23.0 | Report a Bug | By Email