IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Sat, 09 October 2010 00:38 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0964B3A698A for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.201
X-Spam-Level:
X-Spam-Status: No, score=-2.201 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bx9Zs9ahegCA for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:38:26 -0700 (PDT)
Received: from smtp113.biz.mail.sp1.yahoo.com (smtp113.biz.mail.sp1.yahoo.com [69.147.92.226]) by core3.amsl.com (Postfix) with SMTP id 5AE043A697F for <hybi@ietf.org>; Fri, 8 Oct 2010 17:38:26 -0700 (PDT)
Received: (qmail 99899 invoked from network); 9 Oct 2010 00:39:32 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp113.biz.mail.sp1.yahoo.com with SMTP; 08 Oct 2010 17:39:32 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: r_7Km98VM1mGbcCG3g69kTvmIdUgyywnuxJh5A4FDQqK6oe EMF09RCvahnP_Qespnwp_PSzEBWXcmkG9v2ONEiAaXGj8h1xXFgyluzJwLXN AnPM1ho3uucMhg5DtLSZJ1uXQ8z7rVxT4Oc3emrit6HdF.qi.hCtoRiuYlZZ FSlTcGb3zjN4IZ2JxZBoJ2VMWmnpnMne_nP90oltJoA_Vm9rC9Mi0xpLLBiy _PWzG7PmxuAl4_.e6S9RD.e5XmzOTBgEHxcYMeZ2BiOOnmRvyIp_rDTmM181 Askvn_Fdcx4qv5SHo4JtN
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CAFB9C4.6030905@caucho.com>
Date: Fri, 08 Oct 2010 17:39:32 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de>
In-Reply-To: <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 00:38:29 -0000

Bjoern Hoehrmann wrote:
> * Scott Ferguson wrote:
>   
>> So the attacker has a PHP script running on the same physical machine as 
>> the target site, on the same VM guest as the target, and using the same 
>> shared web server as the target, and has decided that a cross protocol 
>> attack is the appropriate vector against a target on the same machine as 
>> his PHP script.
>>     
>
> In the scenario the browser thinks it is talking Websocket while the
> server thinks the browser is talking HTTP, so basically
>
>   +----------------+                    +------------------+
>   | User's browser | -- "Websocket" +-- | attacker.example |
>   +----------------+                |   +------------------+
>                                   HTTP
>                                     |   +------------------+
>                                     +-- | target.example   |
>                                         +------------------+
>
> How attacker.example and target.example are organized is up to the
> web server, it could just be some kind of firewall where the two sites
> are actually hosted on physically separate machines behind it and they
> may be unable to talk to each other. I do think this is something that
> the Websocket protocol needs to address.
>   

To consider the original scenario, do you think the case where the 
attacker's PHP script is on the same physical and virtual machine as the 
target is something WebSockets needs to address? Or that the shared 
machine configuration is already so compromised that complicating 
WebSockets to address that scenario adds no real value.

Your proxy case needs to be considered separately, because a proxied 
attacker has less power over the web server than a PHP script on the 
same server does.

-- Scott

v2.23.0 | Report a Bug | By Email