IETF Logo Mail Archive

Re: [hybi] Web sockets and existing HTTP stacks

Maciej Stachowiak <mjs@apple.com> Wed, 03 February 2010 10:01 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E7583A6BED for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 02:01:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.436
X-Spam-Level:
X-Spam-Status: No, score=-106.436 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-LMKceZiCV1 for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 02:01:48 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 5B97B3A6BC7 for <hybi@ietf.org>; Wed, 3 Feb 2010 02:01:48 -0800 (PST)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id 4C3A483410E4 for <hybi@ietf.org>; Wed, 3 Feb 2010 02:02:30 -0800 (PST)
X-AuditID: 11807134-b7cd9ae000001002-bb-4b6949b6d5ae
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay14.apple.com (Apple SCV relay) with SMTP id DD.8B.04098.6B9496B4; Wed, 3 Feb 2010 02:02:30 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.86.222] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX900AZ2FW5E310@et.apple.com> for hybi@ietf.org; Wed, 03 Feb 2010 02:02:30 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <ad99d8ce1002030107i5994c847yf639b660dc64cdc9@mail.gmail.com>
Date: Wed, 03 Feb 2010 02:02:29 -0800
Message-id: <7CB6EE56-B840-4368-ABAF-C8AA1CCE6600@apple.com>
References: <557ae280911171402v7546e5e7n93a1e57f87dc10e5@mail.gmail.com> <Pine.LNX.4.64.1001310835410.3846@ps20323.dreamhostps.com> <4B67A237.2040505@webtide.com> <ad99d8ce1002012139l3b8f525bj9caf7861332f3d18@mail.gmail.com> <1427E183-FDBC-4854-9455-B93AB28DAB03@apple.com> <ad99d8ce1002012343n132169f8wbaacc1cf4efe2f87@mail.gmail.com> <31123817-6D3F-489D-9F48-109AC93E6769@apple.com> <ad99d8ce1002030000i566f3517qddf4e62f386c9211@mail.gmail.com> <4B692EDB.1060300@gmx.de> <E9DF7FE9-70F0-4268-8CEF-1007D71F9FBB@apple.com> <ad99d8ce1002030107i5994c847yf639b660dc64cdc9@mail.gmail.com>
To: Roberto Peon <fenix@google.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Web sockets and existing HTTP stacks
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 10:01:49 -0000

On Feb 3, 2010, at 1:07 AM, Roberto Peon wrote:

> 
> How exactly does the random bit of text in the first line help?

In the case of a cross-protocol attack against HTTP, it's likely harder to inject text into the status line than it is to inject a response header, so that's the reason why it is in the first line. In the case of a cross-protocol attack against other protocols, in general it's harder to mess with the very beginning of the server response than the end (though not always).

The text is not random, it is a hash of some information from the request. The reason for the particular nature of the bit of text is to further increase the challenge of cross-protocol attacks by requiring the handshake response to contain something that (a) cannot be predicted before client JS tries to initiate the connection; and (b) is not a verbatim echo of anything in the handshake request. So even if you can find a server that will echo back exact text of your choice, or pieces of the request of your choice, you cannot make it return what appears to be a valid handshake response.

> You still have to frame the HTTP response, which means that any errors in that framing are going to be causing problems.

I don't understand what kinds of problems you have in mind, could you clarify?

> In other words, the response will always be as insecure as HTTP. No way around that while still using HTTP. And, as we've already covered, not using HTTP isn't a terribly good option while on port 80 until the upgrade has finished.

Again, I don't know what you mean by "as insecure as HTTP". Specifically what we're worried about here are cross-protocol attacks (both using WebSocket and against a WebSocket service). The fact that the handshake format is an HTTP request does increase the risk in both directions, but we can do things to mitigate it. If you think my proposed defense is ineffective, could you explain how?

Regards,
Maciej

v2.23.0 | Report a Bug | By Email