IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Fri, 01 October 2010 03:26 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A91E63A6D14 for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 20:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.745
X-Spam-Level:
X-Spam-Status: No, score=-1.745 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z60eBrvVi+Cx for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 20:26:44 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 7254C3A6BE1 for <hybi@ietf.org>; Thu, 30 Sep 2010 20:26:44 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3940440iwn.31 for <hybi@ietf.org>; Thu, 30 Sep 2010 20:27:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.146.141 with SMTP id h13mr4969981ibv.1.1285903644201; Thu, 30 Sep 2010 20:27:24 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Thu, 30 Sep 2010 20:27:23 -0700 (PDT)
In-Reply-To: <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com>
Date: Fri, 01 Oct 2010 13:27:23 +1000
Message-ID: <AANLkTi=YTYsbYLiqiPdoJN=yxkWyMmEM5GT4VZbJTFwO@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 03:26:45 -0000

On 1 October 2010 12:36, Adam Barth <ietf@adambarth.com> wrote:
> On Thu, Sep 30, 2010 at 6:50 PM, Scott Ferguson <ferg@caucho.com> wrote:
>> To repeat the key pieces:
>>  a) c-nonce must not be available to or predictable by the hijacker
>>  b) "WebSocket" is not possessed by a non-websocket server
>
> You're making a bunch of assumptions about how non-websocket servers
> behave.  In particular, consider a protocol like DNS.  It's entirely
> possible that a DNS-like protocol could relay the c-nonce to the
> attacker and give the attacker an opportunity to response with the
> appropriate hash, which the server would then relay to the client.
> Attacks of this general class (even against DNS) are known for HTTP.

Adam,

At this stage in our deliberations we need a little more useful than a
statement that it is possible that protocol X might be vulnerable.
That is a truism - who would have thought TLS was vulnerable to a man
in the middle attack, but it was - so it is true that any protocol
might be vulnerable.    The question is - how likely is it to be
vulnerable and are we doing anything to increase the chances of that?

Can you explain how a DNS like protocol might be vulnerable to a HTTP
handshake?   Specially as it runs on port 53 which should not be
allowed to be the target of any HTTP or WS connections.

Can you cite any references that indicate that if  HTTP requests was
sent to a DNS server that it could be mistaken for DNS requests?  How
would a WS HTTP upgrade request be any more likely to be so mistaken?
How would having spaces in the nonce make this mistake any less likely
to occur? How would framing the random bytes change this?

Are there any recorded vulnerabilities of DNS servers echoing back any
content from a HTTP request?  If so, then I would expect these might
be already have been used as part of some XSS attack.  Reflecting user
data provided data is generally considered a bad thing to do and most
modern protocols only allow it in very limited situations (hence the
disabling of TRACE in HTTP).

Even if this was possible - what is the risk?  That a WS client will
look up DNS names?   Or do you have any indication that a WS handshake
will make a DNS server more vulnerable to cache poisoning or any other
spoofing attack?   Is there something about a WS handshake that would
better enable a cache poisoning attack more than XHR?  If through some
miracle the handshake was passed, is there something about the WS
frames that would allow attacks on DNS servers more than XHR?


There are a few moderate proposals being made to incrementally improve
the handshake problems that we currently have.  How does you statement
help us evaluate those proposals?

v2.23.0 | Report a Bug | By Email