[hybi] Experiment comparing Upgrade and CONNECT handshakes
Adam Barth <ietf@adambarth.com> Fri, 26 November 2010 23:47 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB77228C12D for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 15:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.41
X-Spam-Level:
X-Spam-Status: No, score=-2.41 tagged_above=-999 required=5 tests=[AWL=-3.033, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZRwvNnv-Vev for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 15:47:46 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 862D928C122 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:47:46 -0800 (PST)
Received: by gyb13 with SMTP id 13so1281869gyb.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:48:50 -0800 (PST)
Received: by 10.100.134.1 with SMTP id h1mr2059521and.6.1290815329981; Fri, 26 Nov 2010 15:48:49 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id 2sm2607644anw.18.2010.11.26.15.48.47 (version=SSLv3 cipher=RC4-MD5); Fri, 26 Nov 2010 15:48:48 -0800 (PST)
Received: by iwn40 with SMTP id 40so3103068iwn.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:48:46 -0800 (PST)
Received: by 10.231.11.3 with SMTP id r3mr2191947ibr.53.1290815326903; Fri, 26 Nov 2010 15:48:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Fri, 26 Nov 2010 15:48:16 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 26 Nov 2010 15:48:16 -0800
Message-ID: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 23:47:47 -0000
David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been experimenting with the security of the Upgrade-based and CONNECT-based WebSocket handshakes. Please find a paper detailing our findings at this location: http://www.adambarth.com/experimental/websocket.pdf == Summary == The Upgrade-based handshake is vulnerable to attack in network configurations involving transparent (or intercepting) proxies. The core issue is that some number of transparent proxies do not understand the HTTP Upgrade mechanism and therefore don't understand that the remaining bytes sent by the attacker on the socket are not HTTP. These proxies treat these bytes as subsequent HTTP requests, letting the attacker either circumvent firewalls or, worse, poison the proxy's HTTP cache (depending on how the proxy is configured). Please see the paper for details about how these attacks work. To demonstrate that these attacks work in practice and to estimate how many users are vulnerable to attack, we ran an experiment on the Internet using a rich-media advertisement. We found that for a $100, we were able to poison the cache of 8 users by using the Upgrade-based handshake. When the attacker is able to poison the proxy's cache in this way, the attacker can exploit /every/ user of the cache, with potentially dangerous consequences. For example, the attacker can poison the proxy's cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites. We attempted to mount the same class of attack against the CONNECT-based handshake. We were unable to poison any proxy caches when using the CONNECT-based handshake. Based on the data we've collected, vastly most proxies appear to understand the semantics of CONNECT requests than understand the semantics of the Upgrade mechanism. This is consistent with our prior beliefs because CONNECT is widely used on the Internet to tunnel TLS through proxies whereas Upgrade is used rarely. == Recommendation == We recommend that the working group adopt the CONNECT-based handshake described in draft-abarth-websocket-handshake rather than an Upgrade-based handshake. Empirically speaking, the CONNECT-based handshake avoids the real-world attacks we have demonstrated against Upgrade-based handshakes, requires no more round trips, success approximately as often, and complies with HTTP. Kind regards, Adam
- [hybi] Experiment comparing Upgrade and CONNECT h… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Julian Reschke
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Brian
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Joe Mason
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Bjoern Hoehrmann
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth