IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Tue, 12 October 2010 00:09 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 890683A6BA5 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 17:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[AWL=-0.006, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jELC4Buwu3yW for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 17:09:42 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id A3B553A6BA2 for <hybi@ietf.org>; Mon, 11 Oct 2010 17:09:42 -0700 (PDT)
Received: by gyc15 with SMTP id 15so631859gyc.31 for <hybi@ietf.org>; Mon, 11 Oct 2010 17:10:55 -0700 (PDT)
Received: by 10.151.21.8 with SMTP id y8mr7467682ybi.323.1286842255367; Mon, 11 Oct 2010 17:10:55 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id q34sm6244807yba.10.2010.10.11.17.10.53 (version=SSLv3 cipher=RC4-MD5); Mon, 11 Oct 2010 17:10:54 -0700 (PDT)
Received: by iwn10 with SMTP id 10so5392059iwn.31 for <hybi@ietf.org>; Mon, 11 Oct 2010 17:10:53 -0700 (PDT)
Received: by 10.231.149.140 with SMTP id t12mr5161576ibv.100.1286842253053; Mon, 11 Oct 2010 17:10:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.31.4 with HTTP; Mon, 11 Oct 2010 17:10:22 -0700 (PDT)
In-Reply-To: <4CB3A632.4070103@caucho.com>
References: <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com> <AANLkTinJM9fK2p2-kp5-PaNsWGA9EiJgxFbOXwC0hE+v@mail.gmail.com> <4CB3A632.4070103@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 11 Oct 2010 17:10:22 -0700
Message-ID: <AANLkTinHiAPxU1t84K4+=xcrfnGHsEK5C-k2YbYGFQHF@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 00:09:43 -0000

On Mon, Oct 11, 2010 at 5:05 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>> On Mon, Oct 11, 2010 at 9:56 AM, Scott Ferguson <ferg@caucho.com> wrote:
>>> You didn't address point #6, the open DELETE.
>>>
>>> The target is pre-compromised because it has an open DELETE (point #6)
>>> and
>>> the target is pre-compromised because it's on the same machine as the
>>> attacker (point #1).
>>>
>>> You're requiring a pre-compromised target to make this attack work.
>>
>> I'm not sure what pre-compromised means.  I'm not sure that I'd run my
>> servers in this configuration, but that doesn't mean lots of other
>> people don't.
>
> 1. Your target has an open vulnerability ("DELETE") to non-browser clients
> 2. Your attacker is running an arbitrary program on the same machine as the
> target.
> 3. Your attacker has control over the target's web server.
>
> That target server is already under the control of the attacker. Adding a
> browser attack to that scenario is superfluous.

We'll just have to agree to disagree on that point.  This scenario is
one that browser vendors are interested in defending against.

Adam

v2.23.0 | Report a Bug | By Email