IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 09 October 2010 16:20 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6C853A684A for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 09:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.831
X-Spam-Level:
X-Spam-Status: No, score=-2.831 tagged_above=-999 required=5 tests=[AWL=-0.232, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYIAEAgsW3HV for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 09:20:12 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.23]) by core3.amsl.com (Postfix) with SMTP id DF0593A6874 for <hybi@ietf.org>; Sat, 9 Oct 2010 09:20:11 -0700 (PDT)
Received: (qmail invoked by alias); 09 Oct 2010 16:21:17 -0000
Received: from dslb-094-223-184-138.pools.arcor-ip.net (EHLO hive) [94.223.184.138] by mail.gmx.net (mp007) with SMTP; 09 Oct 2010 18:21:17 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX19rrY9rQFpriaycxg918NM0QsrcviQY0uKDPSzfup 5ayKS2x9RAmNHW
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Sat, 09 Oct 2010 18:21:13 +0200
Message-ID: <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de>
References: <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com>
In-Reply-To: <4CB0915A.1030400@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 16:20:13 -0000

* Scott Ferguson wrote:
>Your attacker's PHP script is perfectly capable of launching a 
>non-browser attack against the target server. It's not true at all that 
>a HTTP request is one of the "things they currently cannot do". Can you 
>explain why the attacker doesn't just launch a trivial non-browser 
>attack from the PHP script?

Because the target may refuse requests from the script but accept them
if they come from a certain user's browser. The server-side script can-
not, for instance, spoof the user's IP address, but the client-side one
can.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email