IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Mon, 11 October 2010 18:01 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68CE93A6B28 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 11:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.984
X-Spam-Level:
X-Spam-Status: No, score=-1.984 tagged_above=-999 required=5 tests=[AWL=-0.007, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrnWBxS2T2vS for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 11:01:42 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 5B1E93A67EB for <hybi@ietf.org>; Mon, 11 Oct 2010 11:01:42 -0700 (PDT)
Received: by gyc15 with SMTP id 15so495132gyc.31 for <hybi@ietf.org>; Mon, 11 Oct 2010 11:02:54 -0700 (PDT)
Received: by 10.236.111.5 with SMTP id v5mr12382489yhg.47.1286820174238; Mon, 11 Oct 2010 11:02:54 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id 33sm5325798yhl.32.2010.10.11.11.02.52 (version=SSLv3 cipher=RC4-MD5); Mon, 11 Oct 2010 11:02:53 -0700 (PDT)
Received: by gyc15 with SMTP id 15so495115gyc.31 for <hybi@ietf.org>; Mon, 11 Oct 2010 11:02:52 -0700 (PDT)
Received: by 10.42.180.135 with SMTP id bu7mr1390028icb.150.1286820171992; Mon, 11 Oct 2010 11:02:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.31.4 with HTTP; Mon, 11 Oct 2010 11:02:16 -0700 (PDT)
In-Reply-To: <4CB34F1D.1@caucho.com>
References: <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com> <iah6b6526sush1hv7e982lu4003r455i4e@hive.bjoern.hoehrmann.de> <4CB34F1D.1@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 11 Oct 2010 11:02:16 -0700
Message-ID: <AANLkTinhH4mB4kGQJZeHdW4AScK3VfjVPkpUORJ4NA0a@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 18:01:43 -0000

On Mon, Oct 11, 2010 at 10:53 AM, Scott Ferguson <ferg@caucho.com> wrote:
> Bjoern Hoehrmann wrote:
>> * Scott Ferguson wrote:
>>> The target is pre-compromised because it has an open DELETE (point #6)
>>> and the target is pre-compromised because it's on the same machine as the
>>> attacker (point #1).
>>
>> You are misunderstanding the example trace I gave. The DELETE is sent to
>> the attacker, not the target. The server 1.2.3.4 needs to think that the
>> client is still talking HTTP, and if the first thing it sees is "ħ<" or
>> something like that, it might respond with an error message and close
>> the connection. "DELETE..." in US-ASCII looks like a Websocket text
>> frame and like HTTP, so I am using that as an example. If the attacker
>> manages to create the initial frames such that the web server keeps the
>> connection open, then he can send pretty much arbitrary HTTP requests to
>> the target server.
>>
>
> The "DELETE" represents the HTTP request that a normal browser cannot
> produce but the WebSocket request supposedly can.
>
> The point is, a server cannot rely on browser restrictions to protect their
> HTTP site. It must defend itself against arbitrary clients which are
> perfectly capable of sending arbitrary, perfectly valid requests.
>
> The attempt to avoid that server-side responsibility by using an IP
> restriction to a foreign site (the office) is not any kind of real defense.

I encourage you to read the archives of the W3C webapps working group.
 These issues were discussed in great depth when we were working on
CORS and UMP.  The consensus was that these things were worth worrying
about and the resultant protocols, both as specced and as implemented,
defend against these threats.  In that case, defending against these
threats was actually somewhat costly, unlike here where's it's quite
cheap.

Adam

v2.23.0 | Report a Bug | By Email