IETF Logo Mail Archive

Re: [hybi] A WebSocket handshake

Adam Barth <ietf@adambarth.com> Thu, 07 October 2010 16:48 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4015D3A6FA6 for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 09:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.94
X-Spam-Level:
X-Spam-Status: No, score=-1.94 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xiyv-tDOA3fD for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 09:48:18 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 4BB943A6F74 for <hybi@ietf.org>; Thu, 7 Oct 2010 09:48:18 -0700 (PDT)
Received: by yxl31 with SMTP id 31so25460yxl.31 for <hybi@ietf.org>; Thu, 07 Oct 2010 09:49:20 -0700 (PDT)
Received: by 10.100.127.3 with SMTP id z3mr1343002anc.225.1286470160225; Thu, 07 Oct 2010 09:49:20 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by mx.google.com with ESMTPS id g29sm1889798anh.16.2010.10.07.09.49.18 (version=SSLv3 cipher=RC4-MD5); Thu, 07 Oct 2010 09:49:18 -0700 (PDT)
Received: by gwb20 with SMTP id 20so22428gwb.31 for <hybi@ietf.org>; Thu, 07 Oct 2010 09:49:17 -0700 (PDT)
Received: by 10.42.177.7 with SMTP id bg7mr236886icb.181.1286470157276; Thu, 07 Oct 2010 09:49:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Thu, 7 Oct 2010 09:48:44 -0700 (PDT)
In-Reply-To: <AANLkTimpEeOd0dzkLLvrHbyiykZxYHMCxHiSjzSRxC_d@mail.gmail.com>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com> <AANLkTinw7CpY9d1pW0dEtY9kTLoY6dwoUcXHkLbK7b_q@mail.gmail.com> <AANLkTik4sgV17C_LL9AoJSk0kudk6jDb2N-icZ+DmneX@mail.gmail.com> <AANLkTimpEeOd0dzkLLvrHbyiykZxYHMCxHiSjzSRxC_d@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 07 Oct 2010 09:48:44 -0700
Message-ID: <AANLkTik7gsR+eL=9F1+VcQ236oQGZMzf4u4yh50z0jPL@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 16:48:19 -0000

On Wed, Oct 6, 2010 at 11:42 PM, Greg Wilkins <gregw@webtide.com> wrote:
> On 7 October 2010 16:23, Adam Barth <ietf@adambarth.com> wrote:
>>>> === Handshake Request ===
>> That's factually inaccurate.  The URL and subprotocol information is
>> included in the initial encrypted.
>
> I'm sorry - I was confused by your statement that "The attacker cannot
> influence
> any of the bytes included in the message".   Your proposal read like
> this information was
> sent in a subsequent request.

Perhaps a better wording would have been "The attacker cannot choose
any of the bytes sent on the wire."  I've updated the document.

> So an attacker can influence the bytes in the handshake.

Yes, but the attacker cannot choose any of the bytes sent on the wire,
which is one of the essential security properties of the handshake.
That makes it quite difficult for the attacker to confuse
non-WebSocket servers (which won't decrypt the additional information
because they lack the UUID).

>> No.
>> [...]
>> Fortunately, this handshake does not punish correctly implemented
>> intermediaries.
>
> Care to explain?
>
> You say that an intermediary that understands CONNECT will route to a
> non-existent domain.
> How will such an intermediary be able to work with websocket?

Such an intermediary is not correctly implemented.

>> The attacker in our threat model is not allowed to provide a proxy
>> autoconfig file.
>
> again - probably true... but I'd like to see the detailed anaysis as
> to why that is so.

This is standard stuff in web security.  An attacker who controls your
proxy autoconfig is equivalent to an active network attacker.

> There are basically two elements to it, that I actually should be
> considered separately and as incremental proposal to the current
> draft.
>
> 1) Encrypt the user/attacker supplied data.    There may be some merit
> in this, but it can be equally applied to the upgrade approach as it
> can to a CONNECT approach.   But you analysis of the threat is based
> on a strawman and I do not believe that you have substantiated any
> significant vulnerability where a URL or field value of a HTTP request
> may be interpreted as content in another protocol - that is not
> already vulnerable to HTTP clients.  Without an real threat, I do not
> believe that encryption is worth while.
>
> 2) Use of CONNECT rather than upgrade.  Again, there is some merit in
> considering this, but I believe it has been discussed before and
> eventually rejected.  There is the issue that an intermediary that
> correctly implements CONNECT will not pass such a hand shake.  If that
> concern can be addressed, and if we can do some real world testing of
> how CONNECT performs, then maybe it is a candidate.

Yes.  Both those aspects are important to the security of the
handshake.  I don't believe the handshake is secure without them.

Adam

v2.23.0 | Report a Bug | By Email