Re: [hybi] Handshake was: The WebSocket protocol issues.

[Willy Tarreau <w@1wt.eu>]

On Fri, Oct 08, 2010 at 04:03:42PM -0700, Adam Barth wrote:
> Concretely, consider http://www.adambarth.com/.  My web site is a
> virtual host on a physical server in a 1and1 datacenter.  I'm
> perfectly capable of placing a PHP script on my virtual host.  If the
> PHP script is able to complete the web socket handshake, then I can
> open a WebSocket connection to www.adambarth.com on port 80 from the
> user's browser.  Once the WebSocket handshake completes, I can now
> talk directly to the 1and1 server over more-or-less a raw socket,
> which means I can spoof further HTTP requests and potentially attack
> other virtual hosts that happen to be on the same physical machine,
> which is bad news bears.

No Adam. All what you're trying to do is to protect against a socket data
being taken as a new request. As I already said it several times now, we
just have to set "Connection: close" in the request to put an end on that.
We definitely don't want to risk that confusion !

>From draft-ietf-httpbis-p1-messaging-11 :
   7.1.2.1. Negotiation
   An HTTP/1.1 server MAY assume that a HTTP/1.1 client intends to
   maintain a persistent connection unless a Connection header including
   the connection-token "close" was sent in the request.
   ...
   If either the client or the server sends the close token in the
   Connection header, that request becomes the last one for the
   connection.

As you see, this is by definition, so we must use the close header and
we need to focus on real cross-protocol attacks, not the ones between
WS and HTTP servers based on the second request.

Regards,
Willy