[hybi] Experiment comparing Upgrade and CONNECT handshakes

Adam Barth <ietf@adambarth.com> Fri, 26 November 2010 23:47 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB77228C12D for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 15:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.41
X-Spam-Level:
X-Spam-Status: No, score=-2.41 tagged_above=-999 required=5 tests=[AWL=-3.033, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZRwvNnv-Vev for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 15:47:46 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 862D928C122 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:47:46 -0800 (PST)
Received: by gyb13 with SMTP id 13so1281869gyb.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:48:50 -0800 (PST)
Received: by 10.100.134.1 with SMTP id h1mr2059521and.6.1290815329981; Fri, 26 Nov 2010 15:48:49 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id 2sm2607644anw.18.2010.11.26.15.48.47 (version=SSLv3 cipher=RC4-MD5); Fri, 26 Nov 2010 15:48:48 -0800 (PST)
Received: by iwn40 with SMTP id 40so3103068iwn.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 15:48:46 -0800 (PST)
Received: by 10.231.11.3 with SMTP id r3mr2191947ibr.53.1290815326903; Fri, 26 Nov 2010 15:48:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Fri, 26 Nov 2010 15:48:16 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 26 Nov 2010 15:48:16 -0800
Message-ID: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 23:47:47 -0000

David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been
experimenting with the security of the Upgrade-based and CONNECT-based
WebSocket handshakes.  Please find a paper detailing our findings at
this location:

http://www.adambarth.com/experimental/websocket.pdf

== Summary ==

The Upgrade-based handshake is vulnerable to attack in network
configurations involving transparent (or intercepting) proxies.  The
core issue is that some number of transparent proxies do not
understand the HTTP Upgrade mechanism and therefore don't understand
that the remaining bytes sent by the attacker on the socket are not
HTTP.  These proxies treat these bytes as subsequent HTTP requests,
letting the attacker either circumvent firewalls or, worse, poison the
proxy's HTTP cache (depending on how the proxy is configured).  Please
see the paper for details about how these attacks work.

To demonstrate that these attacks work in practice and to estimate how
many users are vulnerable to attack, we ran an experiment on the
Internet using a rich-media advertisement.  We found that for a $100,
we were able to poison the cache of 8 users by using the Upgrade-based
handshake.  When the attacker is able to poison the proxy's cache in
this way, the attacker can exploit /every/ user of the cache, with
potentially dangerous consequences.  For example, the attacker can
poison the proxy's cache entry for
http://www.google-analytics.com/ga.js and inject JavaScript into
approximately 57% of the top 10,000 web sites.

We attempted to mount the same class of attack against the
CONNECT-based handshake.  We were unable to poison any proxy caches
when using the CONNECT-based handshake.  Based on the data we've
collected, vastly most proxies appear to understand the semantics of
CONNECT requests than understand the semantics of the Upgrade
mechanism.  This is consistent with our prior beliefs because CONNECT
is widely used on the Internet to tunnel TLS through proxies whereas
Upgrade is used rarely.

== Recommendation ==

We recommend that the working group adopt the CONNECT-based handshake
described in draft-abarth-websocket-handshake rather than an
Upgrade-based handshake.  Empirically speaking, the CONNECT-based
handshake avoids the real-world attacks we have demonstrated against
Upgrade-based handshakes, requires no more round trips, success
approximately as often, and complies with HTTP.

Kind regards,
Adam