IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Mon, 11 October 2010 23:58 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7049E3A6B96 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 16:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yz7aG9wH5Ixf for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 16:58:54 -0700 (PDT)
Received: from smtp113.biz.mail.re2.yahoo.com (smtp113.biz.mail.re2.yahoo.com [66.196.116.98]) by core3.amsl.com (Postfix) with SMTP id 4230C3A6863 for <hybi@ietf.org>; Mon, 11 Oct 2010 16:58:54 -0700 (PDT)
Received: (qmail 45349 invoked from network); 12 Oct 2010 00:00:04 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp113.biz.mail.re2.yahoo.com with SMTP; 11 Oct 2010 17:00:04 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: W0wsWt4VM1l12obZNHLqETf5_e1AfeSNEsPZC6N28eDZX8k 9VuoMKnvSCM6.27MMS6dyF9jENDLqf.ErPYkc.17ub1du3Htzg38Ie9opFsp 2NFfZ4eCh1nEU36GoHdIZGWAY_7F.yQTPta94C.r8sDV9szP9uSFjdhe9qSe g3heRSNtf0UepFwESW4ehlakz6skcfLz.ImIvuaJ98HQBC6aslsoMG0o_ZKR _LPaEzzw9njYnNuEF6GPICtUUm37hciFhs9CFjHSS8WKNt9a3hiuZHFZEslG HG_8x_D9wd0yJToUp6oQpkzy.8JU0ZsVkCHQndXhHXxUlv4hrkXGdb61S1O1 oyBzKdso5F45lnL1lAdNjDTRnooCzkUlvCABdcWZRwRc7VgEfbtrTIV8b.JW M2f8iiS3Gu8cwBAY2RtTOOivk_BerTm1pyjz2LUINSZcttQWA
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CB3A502.9010305@caucho.com>
Date: Mon, 11 Oct 2010 17:00:02 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: James Graham <jgraham@opera.com>
References: <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com> <20101009055723.GL4712@1wt.eu> <AANLkTimY2DjxgZybibSRtc7L34Wns2KhQC=Wa9K6PYku@mail.gmail.com> <20101009204009.GP4712@1wt.eu> <AANLkTi=Az0RmE1Uipo068zMh3YzgMpM2tQ+zYxaDT47A@mail.gmail.com> <20101011053354.GA12672@1wt.eu> <4CB2D7BD.1070004@opera.com> <9B9FA451-5551-4434-8EC1-BAC834FB9A61@apple.com> <AANLkTimDc_aqRTtgRpMKhdhk6x+vPGyOPvU3A=6mK9S7@mail.gmail.com> <4CB3373C.5050507@opera.com>
In-Reply-To: <4CB3373C.5050507@opera.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 23:58:55 -0000

James Graham wrote:
> On 10/11/2010 02:28 PM, Greg Wilkins wrote:
>>
>
> So there is an underlying issue here that I don't understand. It seems 
> clear to me that Adam and Eric's proposed handshake has a better 
> security story with regard to cross-protocol attacks than -75, -76, or 
> any other proposal other than using NPN with TLS. However there seem 
> to be a number of people who have problems with this proposed 
> handshake to the extent that they are prepared to forgo the security 
> properties in order to get something different. In general people seem 
> to be aware that they are making the security weaker since the 
> arguments are mostly about how different approaches will probably be 
> good enough in practice even though they are theoretically inferior.
>
> What I haven't followed is what the problems with the proposal 
> actually are. I understand that I have likely missed these in other 
> messages, but it would be helpful if people who believe that the 
> proposed approach, or aspects of it, are unworkable could summarise 
> the outstanding issues they see.

Some of the problems with the proposal:

1. auditing - the proposal takes away the capability to audit requests 
after an attack. Remember, cross-protocol is not the only kind of 
attack. Server admins will want to track down access logs to find the 
problem, but the proposal makes these request log opaque to the server 
admins.

2. authorization - since the proposal no longer uses URL/method and 
specifically doesn't use a unique WEBSOCKET method, existing security 
systems in existing servers cannot be used. (<Limit>, .htaccess, etc.)

3. incompatibility with existing host/application dispatch models. In 
existing servers, the URL/host are used to dispatch to the server before 
processing. This proposal upends that model, requiring WebSocket to be 
dispatched before knowing the target resource.

4. performance - the proposal requires encryption of the entire data 
stream. That's not cheap on the server side.

To justify these security, performance, and management penalties, the 
proposal proposes an attack which requires the target machine to run an 
attacker program, assumes the target web server is under the control of 
the attacker, and assumes the target application has an additional open 
security hole to non-browser clients.

-- Scott
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
>
>

v2.23.0 | Report a Bug | By Email