IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Thu, 30 September 2010 01:40 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7D9D3A69B7 for <hybi@core3.amsl.com>; Wed, 29 Sep 2010 18:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.999
X-Spam-Level:
X-Spam-Status: No, score=-105.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnBRrEifcZc7 for <hybi@core3.amsl.com>; Wed, 29 Sep 2010 18:40:20 -0700 (PDT)
Received: from mail-out4.apple.com (mail-out.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id C916E3A6ADE for <hybi@ietf.org>; Wed, 29 Sep 2010 18:40:20 -0700 (PDT)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id AEBCAB2BB0A0 for <hybi@ietf.org>; Wed, 29 Sep 2010 18:41:05 -0700 (PDT)
X-AuditID: 1180711d-b7b8eae0000035ac-b4-4ca3eab14fd1
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay13.apple.com (Apple SCV relay) with SMTP id 3F.34.13740.1BAE3AC4; Wed, 29 Sep 2010 18:41:05 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [66.109.106.76] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9J008KTE0B1H00@elliott.apple.com> for hybi@ietf.org; Wed, 29 Sep 2010 18:41:02 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <20100929204518.GD10026@1wt.eu>
Date: Wed, 29 Sep 2010 18:40:52 -0700
Message-id: <6B4FE9F4-37E9-4D72-9325-9014F725373E@apple.com>
References: <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <20100929171550.GB8583@1wt.eu> <D82A525D-5F37-4392-AE8A-A5246E5694F3@apple.com> <20100929204518.GD10026@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 01:40:21 -0000

On Sep 29, 2010, at 1:45 PM, Willy Tarreau wrote:

> On Wed, Sep 29, 2010 at 12:33:05PM -0700, Maciej Stachowiak wrote:
>>> Except that you have the Upgrade header which requires a 101 in
>>> response. A normal HTTP server will either :
>>> - ignore the Upgarde and return a classical code (200, 404, 403, ...)
>>> - consider the Upgrade header and either return 101 because it matches
>>>   the protocol it supports (WebSocket) or return an error code because
>>>   it does not support the WS protocol.
>> 
>> A standalone WebSocket server may well ignore the presence/absence of the Upgrade header, since performing the rest of the handshake does not depend on it in any way. Since checking it is not technologically required, it's likely some servers won't check it.
> 
> OK now I see your point. However I disagree with the need to protect
> such a broken implementation.

As a browser implementor, I don't have the luxury of taking that stance. Users will blame the browser.

> We're back to the "and what if the server-side implementation is buggy ?".

We can design the protocol so it's easy to make mistakes that cause a security vulnerability. Or we can make it hard to make mistakes. I prefer the latter. Same reason much application-level server code is written in languages that do not have raw pointers - why use a more error-prone tool if you don't have to?

> A publicly accessible server
> returning 101 to random requests will just get tons of unwanted requests
> from random HTTP scans which will cause it major trouble anyway.

Depends on what it's checking. If it looks for a string matching "Sec-WebSocket-Nonce" or what have you, that won't be in most random unwanted requests. Note that one case we are concerned about is severs protected solely by a firewall. In that case, the only way parties outside the firewall can do random scans is by hijacking a user's browser, and using the browser's HTTP capabilities.

But in any case, the very thing I am proposing we do is design the handshake so it's not likely that servers would be at risk from random HTTP scans.

Note that the NPN+TLS handshake won't have this problem. There's no way to produce anything that looks even remotely like it form a browser-hosted HTTP client.

> The
> presence of the Upgrade header *is* the only element that can dictate
> a valid response. However I agree that the handshake should ensure
> that a client can quickly escape from such a broken implementation,
> the same way as right now a browser should reject responses which do
> not look like HTTP.

That may be useful in its own right, but it would not in any way help in the case of an HTTP client being used to attack WebSocket. The HTTP client implementation will not be looking for a WebSocket server, broken or otherwise, so nothing the client does can offer any protection.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email