IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Scott Ferguson <ferg@caucho.com> Wed, 01 September 2010 16:19 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA72C3A69E1 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 09:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jGQhcG9PT2t for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 09:19:52 -0700 (PDT)
Received: from smtp115.biz.mail.mud.yahoo.com (smtp115.biz.mail.mud.yahoo.com [209.191.68.75]) by core3.amsl.com (Postfix) with SMTP id 2E5913A69F5 for <hybi@ietf.org>; Wed, 1 Sep 2010 09:18:59 -0700 (PDT)
Received: (qmail 13899 invoked from network); 1 Sep 2010 16:19:26 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp115.biz.mail.mud.yahoo.com with SMTP; 01 Sep 2010 09:19:26 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: g2aGmo4VM1mQSzS7AgjzEnmOKO69aXnPrrAiuFHl2j74loE MntmmTdIHdJpVfyhXG0KUkv0FBMGd13RShw.coISD5tiQZjyrV7P3GR4nKTM oOO8YGLvpeYAGR1SFZnEWGDKUJ1l.EUJ172QbPXsQbOvdb2xl58PugENvXzu 8_qi4.L03YnBl4OCliHRk0RBqN_Mq2YMy6YjzW6P0ikMJVby1AD7kNrdYpOW A0onpe98XTecp85_xW_FtPPIPzvep83rVoKSw8OAmQhQg1jLjrzxDHaQv4el REuGB7MWDP2lK4gaLtneJsVcL_24BTtmwRdWadnFxQ8a9A8FmE2pKjQ--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4C7E7D04.5000902@caucho.com>
Date: Wed, 01 Sep 2010 09:19:16 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com> <4C7C746F.1040006@isdg.net> <4C7D2B74.8030702@caucho.com> <4C7D5B20.9030503@isdg.net> <4C7DAECB.7050905@caucho.com> <AANLkTinv-mkMD4LkEZaqmYOjLNBBQ5QHDJHVZ9R=VMyp@mail.gmail.com>
In-Reply-To: <AANLkTinv-mkMD4LkEZaqmYOjLNBBQ5QHDJHVZ9R=VMyp@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 16:19:53 -0000

Adam Barth wrote:
> On Tue, Aug 31, 2010 at 6:39 PM, Scott Ferguson <ferg@caucho.com> wrote:
>   
>> a) To validate the server as websocket server (as opposed to a SMTP server),
>> the client creates a securely-generated random nonce, c_nonce and sends it
>> in C1. The server sends back a hash in S2, like H(c_nonce, "WebSocket").
>> Since no server other than a websocket server will generate that hash,
>> you've verified that the server is a websocket server.
>>     
>
> This assumption is not correct.  Consider, for example, a protocol
> like DNS or an HTTP proxy where the attacker is given some control
> over the server's response.  We have no guarantee that S2 was actually
> generated by the server and not by some other entity and just relayed
> by the server.
>   

Yes, and that's a very important point.

If the hijacker has access to c_nonce or can predict it (like a 
non-securely random c_nonce), then the hijacker can generate the hash 
and trick a non-websocket server into returning it. The browser must 
absolutely keep the c_nonce secret from the hijacker and prevent the 
hijacker from computing H(c_nonce, "WebSocket") for the hash validation 
of the server to work.

But if the hijacker can't generate H(c_nonce, "WebSocket") himself, 
though, he can't trick some non-websocket server into computing that 
hash. Tricking a server into echoing or simple manipulation, sure, but 
not forcing a computation of a hash foreign to the server's protocol.

(The same issue applies to the current protocol, even though the hash 
function is different.)

-- Scott
> Adam
>
>
>
>

v2.23.0 | Report a Bug | By Email