IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Sat, 09 October 2010 02:19 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80D093A677C for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 19:19:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.205
X-Spam-Level:
X-Spam-Status: No, score=-2.205 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvBEikHNVz74 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 19:19:08 -0700 (PDT)
Received: from smtp111.biz.mail.sp1.yahoo.com (smtp111.biz.mail.sp1.yahoo.com [69.147.92.224]) by core3.amsl.com (Postfix) with SMTP id D1F003A698F for <hybi@ietf.org>; Fri, 8 Oct 2010 19:19:07 -0700 (PDT)
Received: (qmail 28753 invoked from network); 9 Oct 2010 02:20:11 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 08 Oct 2010 19:20:11 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: iLZ6rW8VM1mFLvELJ.G8O1Jf_Nd81.nf6FurlhPQiMbWQh4 s6KmITbfR4vXc57JC0GX5ZsuEeBYgD4YpoaYCGNZEXiSj1T27ryIT7qdJ6i5 pPUl0CbLYzpVHj9mPyqCoI3Uz6xyOp9dxIUzGNRuY5tsqs5NHHhKggRVWdgF 5e1kb887GRfhuIAEZva.1D54rgqNHG9KgFJOpl75UndXC4E6aWolDHnZDmk0 cHrmzGIMDkrkWhtbTbbpAco9JLiGMGD0NV2w8o78LlWSQqAsVU9b3osGQ88M 7GxAmcITsaLJbQP_7UWT.4_d.Lxly3OdCBp1N02lR0HzdPJZXi8cMHw--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CAFD15B.6000503@caucho.com>
Date: Fri, 08 Oct 2010 19:20:11 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com>
In-Reply-To: <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 02:19:09 -0000

Eric Rescorla wrote:
>
>
> On Fri, Oct 8, 2010 at 5:39 PM, Scott Ferguson <ferg@caucho.com 
> <mailto:ferg@caucho.com>> wrote:
>
>
>
>     To consider the original scenario, do you think the case where the
>     attacker's PHP script is on the same physical and virtual machine
>     as the target is something WebSockets needs to address? Or that
>     the shared machine configuration is already so compromised that
>     complicating WebSockets to address that scenario adds no real value.
>
>
> This case definitely needs to be addressed. It's a completely standard 
> hosting
> configuration.

To clarify, this scenario has the attacker to run an arbitrary program 
on the same physical/virtual machine as the target. Standard 
configuration or not isn't the issue.

The issues are:

  1) When the attacker can already run a program on the same machine as 
the target, the existing vulnerabilities of that environment swamp any 
theoretical websocket cross-protocol vulnerability.

  2) The attacker has to somehow get assigned to the exact same instance 
as the target. Somehow. I'm not sure how that would be accomplished.

  3) The ISP has to be too lazy to add <Limit WEBSOCKET> to their shared 
http server.

  4) The scope of potential targets is limited to those sites unwilling 
to even pay for its own virtual instance ($11/month on rackspace). Not 
that hobby sites aren't important to their owners, but you'd need to 
argue that they're worth the effort of attacking using 1-3.

Just to clarify, that's the case we're considering.

-- Scott

v2.23.0 | Report a Bug | By Email