Re: [hybi] Why redirects are a bad for the security of WebSockets (was Re: Clarify wheter HTTP responses other than 101 are valid)
Adam Barth <ietf@adambarth.com> Mon, 28 March 2011 22:46 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 484B83A6A83 for <hybi@core3.amsl.com>; Mon, 28 Mar 2011 15:46:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.786
X-Spam-Level:
X-Spam-Status: No, score=-2.786 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v08m-3Lf1VgE for <hybi@core3.amsl.com>; Mon, 28 Mar 2011 15:46:15 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 4A6723A6948 for <hybi@ietf.org>; Mon, 28 Mar 2011 15:46:15 -0700 (PDT)
Received: by qwg5 with SMTP id 5so2637696qwg.31 for <hybi@ietf.org>; Mon, 28 Mar 2011 15:47:52 -0700 (PDT)
Received: by 10.224.201.74 with SMTP id ez10mr3972857qab.372.1301352472777; Mon, 28 Mar 2011 15:47:52 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by mx.google.com with ESMTPS id t17sm1872796qcs.35.2011.03.28.15.47.51 (version=SSLv3 cipher=OTHER); Mon, 28 Mar 2011 15:47:51 -0700 (PDT)
Received: by qyk7 with SMTP id 7so2452958qyk.10 for <hybi@ietf.org>; Mon, 28 Mar 2011 15:47:51 -0700 (PDT)
Received: by 10.224.201.130 with SMTP id fa2mr3919460qab.364.1301352471073; Mon, 28 Mar 2011 15:47:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.89.83 with HTTP; Mon, 28 Mar 2011 15:47:21 -0700 (PDT)
In-Reply-To: <4D910DF0.4070204@ducksong.com>
References: <BANLkTi=0a84PA+2hN9U7S9uvNWgmestE2g@mail.gmail.com> <4D910DF0.4070204@ducksong.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 28 Mar 2011 15:47:21 -0700
Message-ID: <BANLkTi=YMEc6_5jT7H8iik-mKimMoRgeUg@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] Why redirects are a bad for the security of WebSockets (was Re: Clarify wheter HTTP responses other than 101 are valid)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 22:46:16 -0000
On Mon, Mar 28, 2011 at 3:38 PM, Patrick McManus <mcmanus@ducksong.com> wrote: > Hi Adam, I really appreciate you spelling this out - it helps the WG. > > On 3/28/11 10:34 PM, Adam Barth wrote: >> example.com. However, if example.com has has an open redirector (as >> is extremely common on the Internet), this assumption is incorrect and >> leads to vulnerabilities. > > I know you won't agree, but for the wg list I don't see how this expands the > threat model when compared to all the other bugs and vulnerabilities that > might be present (or not) on example.com when we interact with it. I'm not > saying its not our problem, I'm just saying it is more or less par for level > of vulnerability we already have by connecting to that host. Yeah, I don't agree. People like to complain about open redirectors, but the reality is that the vast majority of non-trivial web sites contain them and don't feel a need to close them. The situation is quite unlike XSS, which sites actively worry about and repair. > There are auth patterns using redirect that I think would be useful to > support. The websockets API wont be able to pass the redir info to the JS on > failure so we can't just bump the issue out. Plus I think having a full > fledged http bootstrap without caveat and exception is a good thing from a > modeling point of view for a lot of the same reasons I think masking the > whole client->server request stream is a better model. That's all fine and good, but we don't need to address those use cases in the first iteration of the protocol. If these turn out to be pressing issues that can't be addressed satisfactory at the application layer, then we can revisit this question. Anything else is premature. I also don't buy your argument about simplifying the model by increasing complexity. Adding complexity does not improve security. Adam
- [hybi] Why redirects are a bad for the security o… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Greg Wilkins
- Re: [hybi] Why redirects are a bad for the securi… Patrick McManus
- Re: [hybi] Why redirects are a bad for the securi… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Iñaki Baz Castillo
- Re: [hybi] Why redirects are a bad for the securi… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Patrick McManus
- Re: [hybi] Why redirects are a bad for the securi… Julian Reschke