Re: [hybi] Shipping WebSockets
Willy Tarreau <w@1wt.eu> Thu, 16 December 2010 10:14 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 396813A70C0 for <hybi@core3.amsl.com>; Thu, 16 Dec 2010 02:14:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.218
X-Spam-Level:
X-Spam-Status: No, score=-2.218 tagged_above=-999 required=5 tests=[AWL=-0.175, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXAHOHpZPKij for <hybi@core3.amsl.com>; Thu, 16 Dec 2010 02:14:35 -0800 (PST)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 1A62A3A700E for <hybi@ietf.org>; Thu, 16 Dec 2010 02:14:34 -0800 (PST)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id oBGAGGOL018681; Thu, 16 Dec 2010 11:16:16 +0100
Date: Thu, 16 Dec 2010 11:16:16 +0100
From: Willy Tarreau <w@1wt.eu>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Message-ID: <20101216101616.GB18439@1wt.eu>
References: <B0B3789C-1D3C-4A4E-B37F-8F43FFC7D905@mnot.net> <AANLkTi=Z8Hcp7FBDumgMPH4YmQ1=yqOPwAxD095yzLBt@mail.gmail.com> <AANLkTimw5bHL+GwkMhPC5DwLUJZzeSvfURQQy-XSJxpi@mail.gmail.com> <F16F4A8A-CFBD-44C1-B4A2-EC209E793AF7@mimectl> <u0njg6p6gab1iontt8j1i8e0h4tncnu5u8@hive.bjoern.hoehrmann.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <u0njg6p6gab1iontt8j1i8e0h4tncnu5u8@hive.bjoern.hoehrmann.de>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org HTTP" <hybi@ietf.org>
Subject: Re: [hybi] Shipping WebSockets
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2010 10:14:36 -0000
On Thu, Dec 16, 2010 at 10:50:12AM +0100, Bjoern Hoehrmann wrote: > * Gabriel Montenegro wrote: > >FYI, we have submitted a draft that's essentially the handshake that Greg proposed a while back. > >We'd like to use it as a basis for further iteration. > > > >http://tools.ietf.org/html/draft-montenegro-hybi-upgrade-hello-handshake > > This seems broken to me if you make three assumptions: implementations > don't stop normal HTTP processing if they see a 101 (that's the working > assumption that makes us discuss handshakes at all); it's fairly common > for servers to send response bodies when they are not supposed to, e.g. > in response to HEAD requests, so implementations treat unexpected bodies > as part of the response to the previous request; implementations do only > very limited input validation, for instance, when looking for a method, > they just skip to the next white space octet. > > With these assumptions it would seem the server->client hello would be > treated as response body and the client->server hello as request method. > Since what follows the unknown request method is essentially controlled > by the attacker, that amounts to a normal HTTP request. I am sure each > of these flaws can be found in deployed software; their combination plus > additional behavior that makes them exploitable (you also need, say, > persistent connections) is probably rare, but unless I am misreading the > document, this seems insufficient if you care a lot about this problem. If the server's data is treated as a response body, this is fine, because it will be treated as the handshake request's response, it cannot be sent as a response to a second request. The processings we can see on a 101 response are : - intermediary considers 1xx as error and stops => OK - intermediary does not know about 1xx and forwards it as it would for a 2xx or 3xx => since we have no content-length, the end of the response is indicated by closing the connection after the "body" - intermediary only knows that 1xx has no body but forwards it as a single response and believes that what follows is the response to a second request => the client hello must be accepted as a valid HTTP request for the server hello to be parsed, then accepted in turn as a valid HTTP response. None of them look like HTTP, and that's the point. - intermediary knows that 1xx is an intermediate message without body and waits for a second one right after it => it parses the server hello expecting to find an HTTP response here, which it does not look like at all. - intermediary knows about 101 and establishes the bidirectional tunnel between the two sides and we're OK. I don't see a way to abuse any non-compliant intermediary here. Regards, Willy
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Greg Wilkins
- [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Bjoern Hoehrmann
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Pat McManus @Mozilla
- Re: [hybi] Shipping WebSockets John Tamplin
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Shipping WebSockets Andrew Miadowicz
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Shipping WebSockets Adam Barth
- Re: [hybi] Shipping WebSockets Gabriel Montenegro
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Adam Barth
- Re: [hybi] Shipping WebSockets Julian Reschke
- Re: [hybi] Shipping WebSockets Eric Rescorla
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets John Tamplin
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- [hybi] Handshake proposals, how to move forward Salvatore Loreto
- [hybi] upgrade-hello-handshake (was Re: Shipping … Salvatore Loreto
- Re: [hybi] Handshake proposals, how to move forwa… Julian Reschke
- Re: [hybi] Handshake proposals, how to move forwa… Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake proposals, how to move forwa… Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake proposals, how to move forwa… John Tamplin
- Re: [hybi] Handshake proposals, how to move forwa… Salvatore Loreto
- Re: [hybi] Handshake proposals, how to move forwa… Adam Barth
- Re: [hybi] Shipping WebSockets Bjoern Hoehrmann
- [hybi] semantic conformance in CONNECT handshake … Salvatore Loreto
- Re: [hybi] semantic conformance in CONNECT handsh… Salvatore Loreto
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Ian Fette (イアンフェッティ)
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Eric Rescorla
- Re: [hybi] semantic conformance in CONNECT handsh… Salvatore Loreto
- [hybi] upgrade-hello-handshake (was: Re: Shipping… Bjoern Hoehrmann
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Handshake proposals, how to move forwa… Greg Wilkins
- Re: [hybi] semantic conformance in CONNECT handsh… Greg Wilkins
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] upgrade-hello-handshake (was: Re: Ship… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Greg Wilkins
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] semantic conformance in CONNECT handsh… Joe Mason
- Re: [hybi] Shipping WebSockets Joe Mason
- [hybi] Wiki page to organize discussion of propos… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Marshall Eubanks
- Re: [hybi] Wiki page to organize discussion of pr… Mark Nottingham
- Re: [hybi] Wiki page to organize discussion of pr… John Tamplin
- Re: [hybi] Wiki page to organize discussion of pr… Greg Wilkins
- Re: [hybi] Wiki page to organize discussion of pr… James Graham
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Salvatore Loreto
- Re: [hybi] Wiki page to organize discussion of pr… Eric Rescorla
- Re: [hybi] Wiki page to organize discussion of pr… Jack Moffitt
- Re: [hybi] Wiki page to organize discussion of pr… Salvatore Loreto
- Re: [hybi] Wiki page to organize discussion of pr… Henrik Levkowetz
- Re: [hybi] Shipping WebSockets Dave Cridland
- Re: [hybi] semantic conformance in CONNECT handsh… Dave Cridland
- Re: [hybi] Shipping WebSockets SM
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Dave Cridland