IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Fri, 08 October 2010 23:40 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5907C3A6995 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.518
X-Spam-Level:
X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxoCylyE3Obi for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:40:29 -0700 (PDT)
Received: from smtp113.biz.mail.re2.yahoo.com (smtp113.biz.mail.re2.yahoo.com [66.196.116.98]) by core3.amsl.com (Postfix) with SMTP id 1934C3A696D for <hybi@ietf.org>; Fri, 8 Oct 2010 16:40:29 -0700 (PDT)
Received: (qmail 68092 invoked from network); 8 Oct 2010 23:41:32 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp113.biz.mail.re2.yahoo.com with SMTP; 08 Oct 2010 16:41:32 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: 2kvkFMkVM1nqUuImN.ma1dC3AckPkRQru_FMlPEGK22gQcR hEsTja2Eu1jlL3ypJgB.6vn7fdfN1guXio0pmNQ2tmoJF1LGy6csNF.b24Y9 3M0ErAG4OkRoRyQg674_BYeBIOiD7_DcFTacuRfSsWW5KVNY4hfSkuJw3pEt e7hNAfU1BMOfr7CAXBXVbifJaypB2E9T9w0l3BjJ7loJWYYdsrEk9.QhnieK _KOJVe.5QrUn.39ih2YaZQFNtHKDBHC58U8kR8XsOV9fB06r2e38rqgbydw7 d.JkVfR.YpLz3isXaWqkGq3._q_RPOC5HdjN1LFpk40MjJsvYbu3_lVDSpSc gpc1klsFUXCLQW8t6MeUxdBaNNirWfWPzS.n04p5OYaoRwkp1hVOgrxprw1I GY3_zSWFRqPsa7wQ7ea5D4UEj9q_zgO7OSnEUqsWYKqwdE41cCQg-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CAFAC2B.5000800@caucho.com>
Date: Fri, 08 Oct 2010 16:41:31 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com>
In-Reply-To: <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2010 23:40:30 -0000

Adam Barth wrote:
> On Fri, Oct 8, 2010 at 3:50 PM, Scott Ferguson <ferg@caucho.com> wrote:
>   
>> Adam Barth wrote:
>>     
>>> The DNS server is the target server.
>>>       
>> Then please retract your more general claimed attack against server S using
>> DNS/HTTP.
>>
>> Let me repeat the important claim from your proposal (also quoted above):
>>     
>
> Oh, I thought we were still talking about the earlier example that
> involved a DNS server.
>   

As long as we're clear that DNS itself and DNS only is the target and 
not some second server using information from DNS, this is fine. 
"involved" is more general than "is the target".

> This is a virtual hosting environment.  That's what I meant when I
> said "consider, for example, a virtual hosting environment in which
> the attacker can place PHP scripts on the server."  The attacker has
> access to one virtual host on the server but does not own the entire
> server.
>
> Concretely, consider http://www.adambarth.com/.  My web site is a
> virtual host on a physical server in a 1and1 datacenter.  I'm
> perfectly capable of placing a PHP script on my virtual host.  If the
> PHP script is able to complete the web socket handshake, then I can
> open a WebSocket connection to www.adambarth.com on port 80 from the
> user's browser.  Once the WebSocket handshake completes, I can now
> talk directly to the 1and1 server over more-or-less a raw socket,
> which means I can spoof further HTTP requests and potentially attack
> other virtual hosts that happen to be on the same physical machine,
> which is bad news bears.
>   

So the attacker has a PHP script running on the same physical machine as 
the target site, on the same VM guest as the target, and using the same 
shared web server as the target, and has decided that a cross protocol 
attack is the appropriate vector against a target on the same machine as 
his PHP script.

I'll let others decide if that scenario is something the WebSocket 
protocol needs to address.

However, I will point out that using "WEBSOCKET" as the HTTP method 
would let the ISP reject the initial request, protecting other virtual 
hosts from this attack.

-- Scott

> Adam
>
>
>
>

v2.23.0 | Report a Bug | By Email