IETF Logo Mail Archive

Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Adam Barth <ietf@adambarth.com> Sat, 04 December 2010 09:25 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 926DA3A6AA5 for <hybi@core3.amsl.com>; Sat, 4 Dec 2010 01:25:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.975
X-Spam-Level:
X-Spam-Status: No, score=-3.975 tagged_above=-999 required=5 tests=[AWL=-0.998, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnURKaP6YfN1 for <hybi@core3.amsl.com>; Sat, 4 Dec 2010 01:24:56 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 4C8FA3A6A6A for <hybi@ietf.org>; Sat, 4 Dec 2010 01:24:56 -0800 (PST)
Received: by yxt33 with SMTP id 33so1710457yxt.31 for <hybi@ietf.org>; Sat, 04 Dec 2010 01:26:15 -0800 (PST)
Received: by 10.147.167.14 with SMTP id u14mr2420905yao.22.1291454775184; Sat, 04 Dec 2010 01:26:15 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id v10sm1684009yhg.45.2010.12.04.01.26.13 (version=SSLv3 cipher=RC4-MD5); Sat, 04 Dec 2010 01:26:13 -0800 (PST)
Received: by iwn40 with SMTP id 40so12805301iwn.31 for <hybi@ietf.org>; Sat, 04 Dec 2010 01:26:12 -0800 (PST)
Received: by 10.231.157.145 with SMTP id b17mr3006150ibx.78.1291454772855; Sat, 04 Dec 2010 01:26:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Sat, 4 Dec 2010 01:25:42 -0800 (PST)
In-Reply-To: <22E8BF2D-C86E-4A2A-9D4D-8DE070474324@apple.com>
References: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com> <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com> <AANLkTik+pmVoyK0fkz6mG0+KDqdvyVxaYtM9w7KDo4Xa@mail.gmail.com> <22E8BF2D-C86E-4A2A-9D4D-8DE070474324@apple.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 04 Dec 2010 01:25:42 -0800
Message-ID: <AANLkTim35D4NVD8MkdN0+8XhvN0-o5rXwizvvxiESUXx@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 09:25:14 -0000

On Wed, Dec 1, 2010 at 3:08 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Dec 1, 2010, at 11:45 AM, Zhong Yu wrote:
>> We can still cross examine the data and find something mysterious.
>>
>> From POST to Upgrade column, the firewall circumvention attack
>> successes decrease from 1376 to 1. If I'm mistaken, please correct me
>> with the right explanation, but I believe the POST experiment sent
>> clean/compliant HTTP requests, and the Upgrade experiment sent the
>> attack data framed - the non-http bytes busted 99.9% parsers used by
>> the transparent proxies.
>>
>> Yet, the cache poisoning attack success count only drops from 15 to 8.
>> This attack also depends on proxies' ability to parse http requests.
>> If the non-http bytes in the Upgrade protocol would bust 99.9%
>> parsers, we should see the attack success count drop to 15/1000 = 0.
>>
>> So I must question the validity of the 8 success attacks. (note I also
>> questioned the 1 success attack in the firewall circumvention case)
>> More details are needed to analyze the experiments and the results.
>>
>> This is important because these 9 cases are the only evidence
>> presented so far that plaintext pay load in simple framing could be
>> misinterpreted as compliant HTTP requests although it is not. The
>> evidence is used to argue for stream obfuscation. As the only
>> evidence, it should be examined carefully.
>
> Perhaps Adam & company could publish the experiement code and cite it in the paper, so that anyone who is skeptical of the results could attempt to replicate the experiment or attempt to identify methodological errors. (It's sad that this is not the norm for CS papers.)

Yeah, I'll ask if we can do that.  I'm a big proponent of releasing
the code behind papers.

> It might even be possible, though more work, to attempt replication solely based on the info in the paper.

That should be possible (it's important for reproducibility), but it's
rarely done in practice.  There are some subtitles to getting the
attacks to work that aren't reported in the paper, but I'd be happy to
share with folks off-list if they're interested in replicating the
experiment.

Adam

v2.23.0 | Report a Bug | By Email