Re: [hybi] Handshake was: The WebSocket protocol issues.
Mike Belshe <mike@belshe.com> Mon, 27 September 2010 04:59 UTC
Return-Path: <mike@belshe.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9BB63A6851 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 21:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=0.230, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZA7W6LBsyUdc for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 21:59:24 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id B7E4A3A69F2 for <hybi@ietf.org>; Sun, 26 Sep 2010 21:59:23 -0700 (PDT)
Received: by qwc9 with SMTP id 9so3678113qwc.31 for <hybi@ietf.org>; Sun, 26 Sep 2010 22:00:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.246.194 with SMTP id lz2mr5215793qcb.216.1285563600112; Sun, 26 Sep 2010 22:00:00 -0700 (PDT)
Received: by 10.229.65.31 with HTTP; Sun, 26 Sep 2010 22:00:00 -0700 (PDT)
In-Reply-To: <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com>
Date: Sun, 26 Sep 2010 22:00:00 -0700
Message-ID: <AANLkTikVdXaSqq9XPR4xPvj7i+AWqnOrqKspT6gNFUZw@mail.gmail.com>
From: Mike Belshe <mike@belshe.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: multipart/alternative; boundary="0016e64f9200b892e8049136991b"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 04:59:25 -0000
On Sun, Sep 26, 2010 at 9:35 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > On Sep 26, 2010, at 6:22 PM, Greg Wilkins wrote: > > > 2010/9/27 Maciej Stachowiak <mjs@apple.com>: > >> Here is an email from February where I summarized some of the risks from > >> cross-protocol attacks for WebSocket: > > > > > > Maciej, > > > > thanks for the reference, but I didn't and still don't fully > > understand the actual risk posed by those descriptions and that we are > > still shadow boxing against perceived rather than real threats. > > If you don't understand the risks, then I am not sure you are in a good > position to propose solutions or evaluate their effectiveness. Please try to > read up on cross-protocol attacks, a simple Google search and the paper that > James Graham linked earlier in the thread are great starting points. Many in > this WG seem to discount the importance of security risks that they do not > personally understand. Well, trust me, the bad guys understand them, and > they are not going to be dissuaded by the difficulty of these issues, nor > will they give us an A for effort if we work very hard but still produce > something insecure. > > I will note in fairness that my original attacks were against the old (-75) > handshake which did not have any kind of protection. I have also learned a > lot more about cross-protocol attacks since originally posting the email I > cited, which proposed a nonce with hash response as protection and nothing > else. Largely thanks to pointers from and personal conversations with Adam > Barth. > > One thing I have learned is that it is very risky to have a defense that > just barely works. These are very likely to become defenses that don't work > at all in the face of a trickier attack, or a novel seemingly minor > vulnerability that breaks the assumptions of the defense. > > The reason I am skeptical of your proposed ping-poing handshake as a > defense against cross-protocol attacks is that the *only* defense protecting > WebSocket servers from attacks over HTTP is the assumed inability of > browser-hosted HTTP clients to send whatever carries the random nonce, or > something that looks sufficiently similar. Your summary doesn't specify > exactly how the nonce is sent, but I'll assume it is using a header that > normally cannot be sent via cross-site XHR or similar APIs. > > Now, imagine that a Web attacker, using in-browser APIs, can send something > that looks close enough to the nonce-carrying header to fool a server. This > could be due to a client bug, or due sloppy server processing (e.g. parsing > with regexps and not carefully checking for newlines), or due to a bug in an > intermediary (tricked into injecting extra headers). At this point, the > ping-poing exchange does nothing to protect the server for attacks. The > attacker could have queued up a body that sends the pong plus any additional > messages without needing to look at the ping, and the server will blindly > process them. > > Now, you could argue that such a scenario is merely a bug in either the > client or the server or the intermediary, and the protocol is not at fault. > But I would look at such a scenario and say the security of the protocol is > extremely brittle. It would be better to have a protocol that is more robust > in the face of buggy software. > > A potential improvement would be to require the server to produce a random > number, which is included in the ping and must be in the pong in addition to > the hash. In that case, an attacker could not queue up the correct pong > without looking at the server's response at all. But going down this road > results in increasingly elaborate schemes, along the lines of the -76 > handshake. It's also likely there are more complicated flaws that we simply > haven't thought of yet. I don't think we can stake the security of this > protocol just on our own ability to think up attacks within a period of only > a few weeks. > > > As I have thought about these issues, I am increasingly convinced that an > NPN-style solution is much more robust. Attempting to make a TLS connection > to a vanilla HTTP server, or an HTTPS server that does not understand NPN, > will reject the connection at a very low level, greatly limiting the > potential for shenanigans. Browser clients in general do not offer APIs that > would allow a Web attacker any control of the outgoing TLS handshake, and > the TLS layer would fail a bad connection before server software even had > the opportunity to make a mistake. This approach seems much more robust to > me. Rather than just barely being secure, it fails hard before the attacker > can even do anything tricky. I think it is much likely there would be future > attacks. I hope the WG strongly considers the NPN approach, despite the > costs and challenges imposed by using TLS. > +1. If we think WebSockets has to solve these security problems, the best bet is TLS. Further, if we're going to take the expense of a round trip in the handshake, we might as well get TLS, not just a nonce-verification. Mike > > Regards, > Maciej > > > > > > > >> 1) Hostile JavaScript could use WebSocket for a cross-protocol attack > against > >> vanilla HTTP resources or non-HTTP servers. > >> If the attacker can trick a non-WebSocket server into echoing back > chosen text (for > >> example through something in the URL part of the request), then they > could make > >> it give what appears to be a valid WebSocket handshake response. This > could result > >> in unauthorized access. > > > > I don't understand "unauthorized access" in this context. If a > > server, HTTP or otherwise want to protect it's content, then it needs > > to have both authentication and authorization, which typically means > > that the client will possess some credentials that the server must > > check. If the server does not protect its resources or the > > attacker already has access to credentials (or can trick the > > browser/user into providing credentials), then the easiest way to > > access a non-websocket server would be with existing HTTP mechanisms > > in the browser. > > > > Is there anything about WS that would make a vulnerable HTTP server > > easier to exploit than just using the existing HTTP mechanisms > > available in the browser? ie are there any exploit HTTP requests that > > can be generated using the WS client that could not be generated > > anyway? > > > > > > > >> 2) Cross-site XMLHttpRequest (using CORS or XDomainRequest) could be > used for a > >> cross-protocol attack against WebSocket resources, potentially violating > integrity (though not confidentiality). > >> > >> The WebSocket protocol currently does not require any checking of the > client handshake. However, any > >> WebSocket server that performs any side effects in response to messages > from the client has a security > >> vulnerability if it does not check correctness of the handshake request > from the client. > > > > > > I think that any server that "performs any side effects in response to > > messages from the client" will have a security vulnerability if they > > do not correctly check the authentication and authorization of the > > client. Eventually most browsers will have WS available to the > > javascript, so a server that is so vulnerable will be able to be > > exploited just with WS instead of trying to trick HTTP. > > > > The read question should be - are there any WS > > authentication/authorization mechanisms that can be subverted by using > > a HTTP mechanism instead of a the WS API? > > > > > > I still think that we should take reasonable measures to prevent cross > > protocol handshakes - even if there are no identified real security > > issues. But I think that the usage of Sec- headers and a simple nonce > > will give very good protection and that we only need do more if there > > is a real clearly identified risk. > > > > regards > > _______________________________________________ > > hybi mailing list > > hybi@ietf.org > > https://www.ietf.org/mailman/listinfo/hybi > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- [hybi] Handshake was: The WebSocket protocol issu… Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Gabriel Montenegro
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … John Tamplin
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Mike Belshe
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Simon Pieters
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Roderick Baier
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus