IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

John Tamplin <jat@google.com> Thu, 09 December 2010 05:44 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31A2C3A69CC for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 21:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.58
X-Spam-Level:
X-Spam-Status: No, score=-109.58 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKw7fVd0gLd7 for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 21:44:13 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 583BA3A69CB for <hybi@ietf.org>; Wed, 8 Dec 2010 21:44:13 -0800 (PST)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [172.25.149.14]) by smtp-out.google.com with ESMTP id oB95jfmo009726 for <hybi@ietf.org>; Wed, 8 Dec 2010 21:45:41 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1291873541; bh=c+qoJREeVKqtb/AgjWROAAikTi0=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=c3345egw3NnLgFhqlimhRhBAuvJ3b8XmOr4erOVX5/DW/b9axlbP8dQmRQVImsuJm Vv+e3sfAjp2D26WGihagw==
Received: from yxt3 (yxt3.prod.google.com [10.190.5.195]) by hpaq14.eem.corp.google.com with ESMTP id oB95jGeS027365 for <hybi@ietf.org>; Wed, 8 Dec 2010 21:45:40 -0800
Received: by yxt3 with SMTP id 3so1156869yxt.19 for <hybi@ietf.org>; Wed, 08 Dec 2010 21:45:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=QStv3ZIIaycIQb7iqTGlACQ5PTwV86uMa3pU03gbTdo=; b=sp2T4u7pn4VdmjqsWNrxXyCaGQyvYGNXz9w4cTNKnjLEgQ3gnUJk7mSWyIBwh+HpWe MID5bluAfUE3TNJo0QmA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=IdegSQ9fE+PqixpA1Xj7kbxmKTCxOi1rMddj27Jor5aPIGzjBctw7nVA+zNouF677Y RS9Xnbl7IvfAIlkR1K9w==
Received: by 10.150.91.18 with SMTP id o18mr5753429ybb.92.1291873539669; Wed, 08 Dec 2010 21:45:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.150.137.17 with HTTP; Wed, 8 Dec 2010 21:45:19 -0800 (PST)
In-Reply-To: <25E88686-BE24-4EFD-8330-25916C891664@mnot.net>
References: <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <BB31C4AB95A70042A256109D461991260583956C@XCH117CNC.rim.net> <EA41A6C7-971C-4EC8-AA6F-96363B7FDC4C@gmail.com> <73E53F19-E0E7-4ADB-B765-ABAF0B4A6736@mnot.net> <r2f0g6d7bj770kg0db5ptr027ninmckns8@hive.bjoern.hoehrmann.de> <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <mgj0g6hseqb6j92au80f8d1ook058nb33m@hive.bjoern.hoehrmann.de> <25E88686-BE24-4EFD-8330-25916C891664@mnot.net>
From: John Tamplin <jat@google.com>
Date: Thu, 09 Dec 2010 00:45:19 -0500
Message-ID: <AANLkTimSrRMTzOuRcmkAnNfHZvh3g_fktv+E=p=G2tw8@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: hybi HTTP <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 05:44:15 -0000

On Wed, Dec 8, 2010 at 10:55 PM, Mark Nottingham <mnot@mnot.net> wrote:
> CONNECT to a server (intermediary or origin) that isn't expecting it can
> and will be treated like any other method that isn't understood -- it's
> perfectly legitimate for a server to generate a 405 Method Not Allowed.

Sure, and in such a case no WebSocket frames will be sent on the
connection and no attack can take place.

Adam's experiment found cases where transparent intermediaries did not
treat GET+Upgrade as any different from GET (and therefore the following
frames were interpreted as HTTP), while they found none that treated
frames exchanged after a successful CONNECT as if they were HTTP.

That doesn't mean that such intermediaries do not exist, but it does seem
to indicate that CONNECT is stronger than GET+Upgrade regarding
confusing transparent intermediaries.

> As such, using CONNECT isn't a guarantee that the message framing
> has changed on the request, until the server agrees to its semantics.
> Given that those semantics are specific to configured proxies, and an
> intermediary "agrees" by forwarding the message even when it doesn't
> understand its semantics, this is indeed an entirely hope-based
> assumption; that every intermediary (firewalls, virus scanners, caching
> proxies) is built to understand CONNECT, even when many of them
> can't be configured as an explicit proxy at all.

Transparent intermediaries are by definition not configured into the browser.
They don't know what the browser is actually connecting to when they
view and possibly intercept the presumed HTTP traffic.  As such, they
already have to be written to assume the browser might in fact be
connecting to a non-transparent proxy, so the presence of a CONNECT
method should not be unexpected.

If the destination server is not a WebSocket server, then it will not pass
the handshake test and therefore no WebSocket frames will transit the
intermediary.

>> I think there is a rough consensus to do some XOR obfuscation if that
>> is necessary or helpful, even though some would rather be able to do
>> the easy sendfile() call instead, but the benefits are not very clear
>> (if the attacker learns or can predict the XOR key, you've not gained
>> much, in some scenarios anyway.)
>
> I was thinking more about stripping newlines, etc., but yes, it's more
> expensive. Just not sure why that's an issue, which is why I asked...

Some people worry about servers that have to terminate a very large
number of WebSocket connections, so the memory and CPU
requirements do matter.

I think stripping newlines or padding is more expensive to overall
performance than doing XOR or encryption, since the number of
bytes change and now you have to make a second pass through
the frame to get the correct length, or require the reader to do it a
byte at a time.

At least XOR with a per-frame key adds a fixed number of bytes,
so you can just add that to the frame length received from the
upper layer.

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email