IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Tue, 28 September 2010 05:15 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 311493A6C31 for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.137
X-Spam-Level:
X-Spam-Status: No, score=-105.137 tagged_above=-999 required=5 tests=[AWL=-1.738, BAYES_50=0.001, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gamuJXGDpuMG for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:15:42 -0700 (PDT)
Received: from mail-out4.apple.com (mail-out.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 43EF63A6C34 for <hybi@ietf.org>; Mon, 27 Sep 2010 22:15:42 -0700 (PDT)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id CD6DBB24CB5B for <hybi@ietf.org>; Mon, 27 Sep 2010 22:16:22 -0700 (PDT)
X-AuditID: 11807130-b7cf8ae0000058d2-07-4ca17a26550f
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay11.apple.com (Apple SCV relay) with SMTP id 65.E5.22738.62A71AC4; Mon, 27 Sep 2010 22:16:22 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.102.217] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9F00J1RYNACL60@gertie.apple.com> for hybi@ietf.org; Mon, 27 Sep 2010 22:16:22 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTimk3-vmLuM6zE_v9ovf6-xbYNhrstVVSfNKh9_T@mail.gmail.com>
Date: Mon, 27 Sep 2010 22:16:21 -0700
Message-id: <C96D7AF4-40A0-45EB-B36D-8E4ECF0AE12A@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <AANLkTimk3-vmLuM6zE_v9ovf6-xbYNhrstVVSfNKh9_T@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 05:15:47 -0000

On Sep 26, 2010, at 10:35 PM, Greg Wilkins wrote:

> Maciej, Adam,
> 
> 
> On 27 September 2010 14:35, Maciej Stachowiak <mjs@apple.com> wrote:
>> If you don't understand the risks, then I am not sure you are in a good position to propose solutions or evaluate their effectiveness.
> 
> Please stop using insults of my suitability to partake in this
> discussion as substitutes for reasoned discussion.

I don't consider it an insult, rather, an encouragement to learn more about the problem space. I even gave you some pointers on how to learn more (in the part of the message you snipped).


> 
>> One thing I have learned is that it is very risky to have a defense that just barely works.
> 
> Something that many have not learnt is that having something that
> looks secure, but has not been subject to rigorous due diligence, is
> often highly insecure.

I don't think anyone is suggesting less diligence. I tried to do due diligence on your proposal, but you seem more interested in defending your solution than in learning more about the problem space.

> 
> 
>> The reason I am skeptical of your proposed ping-poing handshake as a defense
>> against cross-protocol attacks is that the *only* defense protecting WebSocket servers
>> from attacks over HTTP is the assumed inability of browser-hosted HTTP clients to send
>> whatever carries the random nonce, or something that looks sufficiently similar.
> 
> Well the ping pong proposal is actually not addressed at cross
> protocol concerns.   The ping pong proposal is focused on the supposed
> "fast fail" detection of intermediaries that do not support websocket.

That may be, but you made a security claim about it in your original message proposing it, and appeared to overlook cross-protocol attacks from HTTP to WebSocket, which is why I re-raised that point.

> 
> With regards to the defence against cross protocol attacks, the only
> change of substance that I have suggested is the removal of the space
> counting and random character injection in the keys transmitted.   I
> have suggested that the hashed response is carried in a websocket ping
> rather than as unframed data, but I do believe that changes the
> security nature of the issue (as any server that allowed the injection
> of 16 random unframed bytes would surely also allow the injection of a
> valid ping frame containing those bytes).
> 
> Thus the ping pong proposal carries essentially the same protection
> against cross protocol attacks as the current handshake:
> 
> 1) Standard in browser HTTP mechanisms are unable to generate the Sec- headers
> 2) The nonce is generated after the Websocket object is created - and
> changing it's encoding from char injected space divided strings to hex
> makes no difference.
> 3) Standard clients will be unable to generate the required pong
> response, just as they cannot generate the 8 random unframed bytes.

I'm not starting with the assumption that the current handshake is adequate, though I think it is slightly stronger than your proposal because the attacker has to control more of the request.

> 
> 
>> A potential improvement would be to require the server to produce a random number,
>> which is included in the ping and must be in the pong in addition to the hash. In that case,
>> an attacker could not queue up the correct pong without looking at the server's response at all.
>> But going down this road results in increasingly elaborate schemes, along the lines of the -76 handshake.
> 
> Great - a real technical proposal! The pong message is already
> required to contain the contents of the ping, so it is already not
> possible for a pong message to be simply queued (the attacker has
> neither the capability to send the bytes, nor the knowledge of what
> they should be).

I don't believe that is true. If the attacker is using an HTTP API and has injected the nonce, then the attacker also knows the hash of the nonce, and therefore can produce a pong response with the correct hash without waiting for a response from the server.

Incidentally, I would not stand behind a version of the ping/pong handshake that adds a server-generated random number. Servers at times accidentally use low-quality random-number generators, it would be better not to stake security on strength of a server-side RNG.

> 
> 
>> It's also likely there are more complicated flaws that we simply haven't thought of yet. I don't think we can
>> stake the security of this protocol just on our own ability to think up attacks within a period of only a few weeks.
> 
> Where have I suggested that we adopt the whack-a-mole approach of
> dealing with only specific known attacks.
> 
> I've have been talking about general capabilities that an attacker may
> have (eg what kind of bytes sequences they can generate on the wire)
> plus the general limitations on what an attacker may know (eg
> predicting nonce values, access to cookies etc.).     We then have to
> evaluate if the presence of websocket in a browser or server gives an
> attacker any additional capabilities or any additional knowledge that
> may contribute to any kind of attack.
> 
> It is not sufficient to simply say that cross protocol is really
> complex and scary an that any attempt to remove the space counting
> from the handshake is bound to open up a whole range of unknown and
> unforeseeable  security problems.

I'm not specifically advocating for space counting. I just think your proposed handshake is weak from a security perspective.

> 
> 
>> As I have thought about these issues, I am increasingly convinced that an NPN-style solution is much more robust.
> 
> Indeed it is, and I fully support efforts to standardize that as
> another way to establish websocket connections.

When a system provides multiple alternatives that the attacker can choose from, its security is only as strong as the weakest link. If the HTTP-based handshake creates undue risk of cross-protocol attacks, then the availability of a less exploitable alternative will not make the Web as a whole more secure.

> 
> Meanwhile we have some real proposals to establish websocket
> connections via a HTTP upgrade.  Can we please discuss this and the
> security implications of it.  If we are unable to come up with a
> reasoned and explicable security model for websocket, then the IETF
> processes will not allow any of our proposals progress.

I've given you input on your proposal. I explained in some detail why I think it is quite weak in the HTTP vs. WebSocket cross-protocol attack scenario. I don't see a substantive response to my comments in your message above. Can you give an argument for why the nonce+ping handshake is well-defended against cross-protocol attacks? I have made a case that it is not very strong, I believe the ball is in your court to show otherwise, regardless of the strength of any other handshake under consideration.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email