IETF Logo Mail Archive

Re: [hybi] CONNECT handshake text

Adam Barth <ietf@adambarth.com> Wed, 08 December 2010 18:30 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DD5C3A6982 for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 10:30:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.711
X-Spam-Level:
X-Spam-Status: No, score=-3.711 tagged_above=-999 required=5 tests=[AWL=-1.334, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IV3pvDN0c9y for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 10:30:47 -0800 (PST)
Received: from mail-qy0-f177.google.com (mail-qy0-f177.google.com [209.85.216.177]) by core3.amsl.com (Postfix) with ESMTP id CC6823A698C for <hybi@ietf.org>; Wed, 8 Dec 2010 10:30:31 -0800 (PST)
Received: by qyk27 with SMTP id 27so843589qyk.15 for <hybi@ietf.org>; Wed, 08 Dec 2010 10:31:46 -0800 (PST)
Received: by 10.229.251.204 with SMTP id mt12mr7112853qcb.182.1291833105804; Wed, 08 Dec 2010 10:31:45 -0800 (PST)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx.google.com with ESMTPS id mz11sm532939qcb.39.2010.12.08.10.31.44 (version=SSLv3 cipher=RC4-MD5); Wed, 08 Dec 2010 10:31:44 -0800 (PST)
Received: by iwn39 with SMTP id 39so2192674iwn.27 for <hybi@ietf.org>; Wed, 08 Dec 2010 10:31:43 -0800 (PST)
Received: by 10.231.37.1 with SMTP id v1mr9481160ibd.103.1291833102899; Wed, 08 Dec 2010 10:31:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.33.198 with HTTP; Wed, 8 Dec 2010 10:31:12 -0800 (PST)
In-Reply-To: <AANLkTiknHq_hmdErypdydOpZpRk1y+DQm7aZh1qej3Ao@mail.gmail.com>
References: <AANLkTinEXHBeaUPo4gK2CHbq7ZHYnY2PE3Vb+Oi+K1NM@mail.gmail.com> <AANLkTimgrC2nehYE=Dnt11naKRY55nMzn=zTmzx+AYpH@mail.gmail.com> <AANLkTik4QUxMVTt=NTMq-Wo7GhOX3ie=eHQRMHZ8fEqd@mail.gmail.com> <AANLkTikEMwkY9G2RXjTrX+Uf97kvyfmm2Qi5CdK=_Cr+@mail.gmail.com> <AANLkTiknHq_hmdErypdydOpZpRk1y+DQm7aZh1qej3Ao@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 08 Dec 2010 10:31:12 -0800
Message-ID: <AANLkTimkCcAsNotbt7rkLZETkMxB7gRNCZax0Ya6N-wk@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] CONNECT handshake text
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 18:30:50 -0000

On Wed, Dec 8, 2010 at 1:13 AM, Greg Wilkins <gregw@webtide.com> wrote:
> 2010/12/7 Adam Barth <ietf@adambarth.com>:
>> Unmasking the Host header has some security risk.  The scenario we're
>> worried about is one in which the attacker and the target server are
>> virtually hosted on the same machine.  In that case, a machine that
>> does not understand the Host header is likely to route the request
>> according to the Host header, but not understand that it is
>> establishing a bidirectional tunnel.  Another approach to mitigating
>> this threat is to mask the payload data so the attacker won't be able
>> to trick the machine after the handshake completes.
>
> is the following description the attack vector that you are concerned about:
>
> www.innocentbystander.com and www.drevil.com are virtually hosted on
> the same machine
>
> A client loads some of drevil's javascript that makes a WS connection
> to www.drevil.com, which is routed to that virtual host and the WS
> connection is accepted.    www.drevil.com and/or the drevil javascript
> then send WS packets that contain spoof HTTP requests that are sent to
> www.innocentbystander.com   allowing the attacker to bypass same
> origin rules etc.

Yes.

> If the server hosting these domains is WS aware, then this is not a problem.

Correct.

> If the server is not WS aware, then we have to ensure that the
> handshake is not something that can be accepted by a normal HTTP
> server, no matter what application the drevil is running.
>
> The Hello frames that I have proposed protect against this kind of
> attack, because they are bytes that an application running on a
> non-websocket-aware server cannot generate, thus they cannot trick the
> client into accepting the WS connection and sending more bytes.
>
> Also robust WS framing is another layer of defence as it would protect
> any packets sent by the client from easily being interpreted as HTTP.

The issue with that approach is now you're exploring the error states
of the server rather than confining yourself to a syntax for which we
can predict the server's behavior.  It's likely that existing servers
have a wide variety of error states, and it's difficult for us to be
certain of how they behave.

> Thus regardless of using CONNECT of Get+Upgrade,  I believe my
> proposals for Hello frames and inverting some bits the header are good
> defences to include.   I've attached my proposed text/diff for them
> again... please feel free to swap out Upgrade for CONNECT if that is
> your preference.

Thanks for your willingness to compromise.

Adam

v2.23.0 | Report a Bug | By Email