IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Tue, 28 September 2010 23:49 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A83E3A6BED for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 16:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.659
X-Spam-Level:
X-Spam-Status: No, score=-106.659 tagged_above=-999 required=5 tests=[AWL=-0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfMGLKfu0o6z for <hybi@core3.amsl.com>; Tue, 28 Sep 2010 16:49:40 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id E97C33A6BCC for <hybi@ietf.org>; Tue, 28 Sep 2010 16:49:39 -0700 (PDT)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out3.apple.com (Postfix) with ESMTP id 1561CABCF48A for <hybi@ietf.org>; Tue, 28 Sep 2010 16:50:22 -0700 (PDT)
X-AuditID: 1180711d-b7b8eae0000035ac-9f-4ca27f3dd5ec
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay13.apple.com (Apple SCV relay) with SMTP id B3.2A.13740.D3F72AC4; Tue, 28 Sep 2010 16:50:22 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.122.9] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9H00DWBE7XLFA0@et.apple.com> for hybi@ietf.org; Tue, 28 Sep 2010 16:50:21 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com>
Date: Tue, 28 Sep 2010 16:50:21 -0700
Message-id: <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 23:49:41 -0000

On Sep 28, 2010, at 2:36 AM, Greg Wilkins wrote:

> Maciej,
> 
> taking our offline conversation back to the list (as you suggested), you said:
> 
>> I don't think you identified any effective defenses other than inability
>> to send the intended form of the nonce (as a Sec- header).
>> 
>> I would be glad to elaborate further on the list if that would be helpful.
> 
> 
> I believe that more defences have been discussed than just the
> inability to send the nonce. Specifically the following defences have
> been identified (but perhaps not enumerated as thoroughly):
> 
> For a HTTP client to attack a WS server, the defences are:
> + The inability to send a nonce in a Sec-Header.

Agree on this one.

> + Reliance on the browser not treating the 101 response as an error.
> + The inability to read the ping frame after the 101 response.

The threat model I described involves an attack on integrity, not confidentiality, so these two defenses do no good.

In other words, the threat model is that the attacker sends commands with side effects that it shouldn't be able to, and doesn't care about reading the response.


> + The inability to send a pong frame

I don't think this one is true. Why couldn't you include it in an HTTP message body? Your original proposal does nothing to prevent this. Adding a server-provided nonce to the ping and requiring it to appear in some form in the pong does add some protection, but only as strong as the server's (possibly ad-hoc) choice of RNG.

> + The inability to provide credentials (not otherwise available to
> normal HTTP) to access authorized content

Network position is itself effectively a credential. Some servers are only protected by a firewall. This is common not only in enterprise scenarios but also with many consumer devices that offer Web-based configuration. Browsers generally consider it their responsibility not to expand the attack surface in such cases.

There are ways to send other credentials in cross-site requests, for example by doing it through a form instead of XHR. I haven't thought through those cases in detail yet so I don't have a strong claim to make at this time.

> + The inability to make a WS server send unauthorized content as
> valid WS frames

Not relevant to the threat model. Again, because the threat is an attack on integrity, not confidentiality.

> + The inability to provide credentials (not otherwise available to
> normal HTTP) that might trigger server side effects

Not relevant to the threat model, which is existing HTTP functionality being used to attack WebSocket servers.

> + The inability to send a WS frame from a HTTP client that might
> trigger server side effect.

I don't think this is true. What stops you from sending the bytes of a WS frame from an in-browser HTTP client?

> + That even if all of the above could be subverted, the attacker
> would only have a capability (to talk WS), that we plan to have widely
> available within the browser.

WebSocket itself will not send any frames until the handshake is complete, but HTTP sends the body along with the headers. So it's not the same. You can't count on browser-side checking of the server response to protect WS servers from HTTP clients.


The risk I described did not fall into the three other threat models below, so no comment on those for now. I will review the list later, time permitting.

Regards,
Maciej

> 
> 
> For a WS client to attack a HTTP server:
> + The inability to force intermediaries and servers to generate a 101 response
> + The inability to force a server to emit a ping frame after a 101 response
> + The inability to know what contents to put into a ping frame even
> if one could be injected.
> + The inability to provide credentials (not otherwise available to
> normal HTTP) to access authorized content
> + The inability for the server to send unauthorized content in a WS frame.
> + The inability to provide credentials not available to via a normal
> HTTP request that might trigger some authorized side effect.
> + The inability to send valid HTTP requests from a WS client.
> + If all of the above could be subverted, then the existing browser
> cross domain model could be broken and an attacker could view content
> from a different domain. But if the server was injectable to such an
> extent as to allow 101s and ping frames, then it is highly likely that
> javascript code could be injected that would also break the cross
> domain model without the use of WS.
> 
> 
> For a WS client to some other protocol server:
> + The browser restricts the port range that can be the target of a WS
> connection
> + Reliance on the server to not treat the HTTP handshake request as a
> fatal error.
> + The inability to force the servers to generate a 101 response
> + The inability to force a server to emit a ping frame after a 101 response
> + The inability to know what contents to put into a ping frame even
> if one could be injected.
> + The inability to force another protocol server to send unauthorized
> content in a websocket frame.
> + The inability to provide credentials not available to via a normal
> HTTP request that might trigger some authorized side effect.
> 
> 
> For a WS client to attack a WS server:
> + The inability to force a server to send arbitrary origin headers,
> so attacking code will not be from the same origin as the connection.
> 
> Note that these defences are essentially identical between -02 and my
> proposal - ie they are not dependant on space encoding of nonces nor
> the unframed transmission of nonces and hashes.
> 
> I'm not saying these defences are perfect, nor that they cannot be
> improved. However I think that there are sufficient defences in depth
> (except for WS to WS) that they cannot be simply dismissed without
> some thorough detailed explanation.
> 
> regards
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email