IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Tue, 28 September 2010 23:58 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E429C3A6BB5 for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 16:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.657
X-Spam-Level:
X-Spam-Status: No, score=-106.657 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlBtgSr+TsWW for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 16:58:32 -0700 (PDT)
Received: from mail-out4.apple.com (mail-out.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id AB1533A6B73 for <hybi@ietf.org>; Tue, 28 Sep 2010 16:58:32 -0700 (PDT)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out4.apple.com (Postfix) with ESMTP id CE65FB27D843 for <hybi@ietf.org>; Tue, 28 Sep 2010 16:59:14 -0700 (PDT)
X-AuditID: 11807136-b7b3eae0000066cf-93-4ca2815200b8
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay15.apple.com (Apple SCV relay) with SMTP id 00.1B.26319.25182AC4; Tue, 28 Sep 2010 16:59:14 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_kMdl1tBRJptw7+x5Xr9uRw)"
Received: from [17.151.122.9] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9H0012ZEMQ3I90@elliott.apple.com> for hybi@ietf.org; Tue, 28 Sep 2010 16:59:14 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4CA21A0F.2030608@caucho.com>
Date: Tue, 28 Sep 2010 16:59:13 -0700
Message-id: <6470F2B1-F0A4-49FD-9EE3-7CEF5D355366@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <F1C112EC-28AB-4CE2-9208-2517077E5EC2@apple.com> <4CA21A0F.2030608@caucho.com>
To: Scott Ferguson <ferg@caucho.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 23:58:34 -0000

On Sep 28, 2010, at 9:38 AM, Scott Ferguson wrote:

> Maciej Stachowiak wrote:
>> On Sep 27, 2010, at 10:13 AM, Scott Ferguson wrote:
>> 
>>> 
>>> 2. Use a new AUTH or HELLO opcode/packet for the C3 hash instead of overloading PING. This would make the packet's purpose clear and give a space for any future challenge-based authentication to put its credentials in a future spec extension. (I'd recommend any authentication extension/C3-payload use HTTP style authentication headers so the extension could just use existing security handshakes.)
>>>    
>> 
>> #1 seems like an improvement, but #2 doesn't seem to give any security benefit.
>>  
> 
> #2 is certainly a security benefit for servers. If a server provides a non-browser service, it needs the ability to authenticate. That should be an obvious security need.

Can you explain the security benefit specifically of changing the opcodes of the packets involved in the handshake? It's not clear to me. A new authentication scheme may or may not have benefits on its own, but changing the handshake message opcodes does not seem to make any difference to this.

> 
>>> No, it's different from -76, because the properties of the nonce/hash pattern are well known. The flaw with -76 is just what you describe: it's inventing new security patterns and is likely to have complicated flaws. Sticking to a well-known pattern is the right way to go.
>>>    
>> 
>> Nonce/hash is a well-known mechanism. But I do not believe there is a lot of knowledge on using it as a defense against cross-protocol attacks. Generally it is used as part of a challenge-response mechanism for authentication purposes, but authentication is not the goal here. There is no shared secret or public-private keypair involved.
>>  
> 
> Authentication is the goal here. The whole point of defeating a cross-protocol attack is authenticating both the client and the server as implementing the correct protocol. Once you've validated both sides as implementing websockets, then any attack is no longer a cross-protocol attack.
> 
> The shared "secret" is the "WebSocket" value in the hash. For server authentication, H(c-nonce, "WebSocket"), only a websocket server will ever produce that hash because on a websocket server has that "secret". SMTP cannot produce that response because it don't have that secret (and doesn't produce hashes at all, of course.)

This does not seem like a classical authentication problem to me. There is no actual secret and no actual proof of identity. Rather, the cross-protocol defense provided depends on the presumed inability of stock servers or browser-hosted client code to send or meaningfully process particular messages. For example, the security of this scheme would be largely unaffected if the hash was not cryptographically secure, which is surely not the case with actual authentication schemes. Robustness against cross-protocol attacks is simply not the same problem.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email