IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Fri, 01 October 2010 23:34 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6295A3A6D53 for <hybi@core3.amsl.com>; Fri, 1 Oct 2010 16:34:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zV4LYqSn+zip for <hybi@core3.amsl.com>; Fri, 1 Oct 2010 16:34:28 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 129483A6CFC for <hybi@ietf.org>; Fri, 1 Oct 2010 16:34:27 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5278263iwn.31 for <hybi@ietf.org>; Fri, 01 Oct 2010 16:35:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.161.80 with SMTP id q16mr6432372ibx.142.1285976112935; Fri, 01 Oct 2010 16:35:12 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Fri, 1 Oct 2010 16:35:12 -0700 (PDT)
In-Reply-To: <AANLkTim5d0TMJ=Z4_-eFNDw8ajyYmfx6V=UwS1Jya4Zq@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <AANLkTi=YTYsbYLiqiPdoJN=yxkWyMmEM5GT4VZbJTFwO@mail.gmail.com> <AANLkTim5d0TMJ=Z4_-eFNDw8ajyYmfx6V=UwS1Jya4Zq@mail.gmail.com>
Date: Sat, 02 Oct 2010 09:35:12 +1000
Message-ID: <AANLkTik1B--kp1Fu==khCqMQL-E4T=qkJmKYVWiiwv2q@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="UTF-8"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 23:34:30 -0000

Adam,

thanks for sharing the details of the experiments that you almost made
work in your private lab.  Strangely enough we didn't know about these
unpublished efforts of yours, nor gave you any "authority" for them,
because you've didn't tell us about them.

But in the end, your experiment indicated that DNS servers cannot
generally be attacked by HTTP requests, so WS handshakes are also
currently OK, with or without framed nonces and no space encoded
headers.  WS also has extra defences, in that it cannot send an entity
body with the handshake, so that any target server that uses
characters from GET or POST as a binary length (as DNS apparently
does), will see a very long packet and the WS client has no way to put
data there unless the WS handshake is successful.

So this experiment is not an argument against the current proposal.
But I think it is very valuable to step through such potential attacks
(hence I keep asking for details), so we can analyse our defences and
perhaps consider others.

I've never argued against defence in depth, I simply do not believe
that unframe nonces and space injected keys are any significant
defences and that there are better alternatives.

So from your experiment, I would propose that we explicitly restrict
the ports that WS clients can contact other than 80/443 that are below
1024.  I see no reason at all to allow WS connection attempts to port
53.

v2.23.0 | Report a Bug | By Email