IETF Logo Mail Archive

Re: [hybi] handshake security (was: Frame size)

"Thomson, Martin" <Martin.Thomson@andrew.com> Mon, 19 April 2010 05:15 UTC

Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 131C53A6A5E for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 22:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.969
X-Spam-Level:
X-Spam-Status: No, score=-0.969 tagged_above=-999 required=5 tests=[AWL=-0.229, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHHddwRW00oV for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 22:15:51 -0700 (PDT)
Received: from csmailgw1.commscope.com (csmailgw1.commscope.com [198.135.207.244]) by core3.amsl.com (Postfix) with ESMTP id 7A9A33A6AA6 for <hybi@ietf.org>; Sun, 18 Apr 2010 22:15:27 -0700 (PDT)
Received: from [10.86.20.103] ([10.86.20.103]:22754 "EHLO ACDCE7HC2.commscope.com") by csmailgw1.commscope.com with ESMTP id S18331747Ab0DSFPQ (ORCPT <rfc822; hybi@ietf.org>); Mon, 19 Apr 2010 00:15:16 -0500
Received: from SISPE7HC1.commscope.com (10.97.4.12) by ACDCE7HC2.commscope.com (10.86.20.103) with Microsoft SMTP Server (TLS) id 8.1.436.0; Mon, 19 Apr 2010 00:15:16 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC1.commscope.com ([fe80::8a9:4724:f6bb:3cdf%10]) with mapi; Mon, 19 Apr 2010 13:15:13 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Ian Hickson <ian@hixie.ch>
Date: Mon, 19 Apr 2010 13:16:42 +0800
Thread-Topic: [hybi] handshake security (was: Frame size)
Thread-Index: Acrfd19ZQGt1IhGdTBWaxnu+i9lREwAA5NzA
Message-ID: <8B0A9FCBB9832F43971E38010638454F03E7D0684C@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03E3F313ED@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004161940180.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0678C@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190009190.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D067A9@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190159340.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0682D@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190404290.751@ps20323.dreamhostps.com>
In-Reply-To: <Pine.LNX.4.64.1004190404290.751@ps20323.dreamhostps.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw1.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] handshake security (was: Frame size)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 05:15:54 -0000

> The idea is not to make the client able to do anything, the idea is to
> make the server more likely to fail to get to the point where it is
> accepting frames without having checked that it's a Web Socket client.

That's the tension.  The lazy server implementer does the minimum that they believe they can get away with.  If they have to interoperate with browsers, they will do the minimum to interoperate with browsers.

That leaves a lot of room for error - and you know what, that's probably OK.  The only one who suffers is the server implementer.  They are the ones being duped.

The WS-aware browser works it out pretty quickly; the WS-ignorant browser probably chokes on the Upgrade header in the response, and if not then, they will eventually fail.

> > If the server only looks for certain markers, then I imagine that an
> > SMTP message could trigger launch in the same fashion.  It doesn't
> stop
> > the attack.
> 
> I don't see how you could cause any privileged machine in this scenario
> to
> connect to the Web Socket server using SMTP. Could you elaborate on
> that?

The point being that if a server only searches for certain byte sequences, those byte sequences can be embedded in any protocol you like.  Nothing you do as a specification writer helps the server that is able to mistake another TCP-borne protocol for WS.

The mechanism doesn't stop an attack.  It only provides a higher bar to entry for server developers.  There is already a means by which the server tells that the request is not a WebSocket request: checking for the presence of the correct Upgrade header.

Sure, the handshake provides incentive for server developers to do the right thing... inasmuch as it is probably easier then to do the right thing than the wrong thing once the handshake is implemented.  On the other hand, it doesn't provide any real assurances to either party.

We still have to take it on faith that the server implementation isn't brain-dead.  But that's possible without the mechanism.

> > It's quite possible that any viable solution to that problem would be
> > more trouble than it's worth.  (you know, there might be a business
> > in that...)
> 
> Not sure what you mean.

Sorry, just me being obtuse:

  More trouble than it's worth == more round trips and latency, more complicated mechanisms.

--Martin

v2.23.0 | Report a Bug | By Email