IETF Logo Mail Archive

Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Adam Barth <ietf@adambarth.com> Sat, 27 November 2010 01:14 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E757C28C0F9 for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 17:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.656
X-Spam-Level:
X-Spam-Status: No, score=-3.656 tagged_above=-999 required=5 tests=[AWL=-1.679, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1fuckVmKb-v for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 17:14:26 -0800 (PST)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 2A88C3A6A79 for <hybi@ietf.org>; Fri, 26 Nov 2010 17:14:26 -0800 (PST)
Received: by gwj17 with SMTP id 17so1308285gwj.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 17:15:30 -0800 (PST)
Received: by 10.151.78.1 with SMTP id f1mr5920892ybl.421.1290820529607; Fri, 26 Nov 2010 17:15:29 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id 67sm1620267yhl.5.2010.11.26.17.15.27 (version=SSLv3 cipher=RC4-MD5); Fri, 26 Nov 2010 17:15:28 -0800 (PST)
Received: by iwn40 with SMTP id 40so3166179iwn.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 17:15:26 -0800 (PST)
Received: by 10.231.37.1 with SMTP id v1mr2256916ibd.103.1290820526775; Fri, 26 Nov 2010 17:15:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Fri, 26 Nov 2010 17:14:55 -0800 (PST)
In-Reply-To: <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com>
References: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com> <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 26 Nov 2010 17:14:55 -0800
Message-ID: <AANLkTimYpdp-75BQSmhAUfyrQv19LvzF1ouznst+ANUG@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2010 01:14:27 -0000

On Fri, Nov 26, 2010 at 4:55 PM, Greg Wilkins <gregw@webtide.com> wrote:
> on the whole, your paper looks like excellent work and I think you have
> discovered a existing vulnerability  which obviously needs to be fixed.

Thanks.

> With regards to websocket, your paper says:
>   " Our advertisement contains a SWF which performs the WebSocket handshake,
> spoofs an HTTP request upon handshake success,..."
>
> Was the spoofed HTTP request framed as a websocket frame?

Nope.  It's the handshake's job to establish that it's safe to let the
attacker to communicate on the socket.

> Would it be possible for you to repeat the experiment, but with the framing
> changes proposed to make WS frames less likely to be interpreted as HTTP (ie
> flipping the sense of the more bit). Also it would be interesting to see if
> the exchange of HELLO frames after the handshake had an effect on
> transparent proxies.

The exchange of HELLO frames adds an extra round-trip.  There's no
need to delay the connection with an extra round trip.

Adam

v2.23.0 | Report a Bug | By Email