IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Eric Rescorla <ekr@rtfm.com> Mon, 11 October 2010 04:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B28E83A68C5 for <hybi@core3.amsl.com>; Sun, 10 Oct 2010 21:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.714
X-Spam-Level:
X-Spam-Status: No, score=-101.714 tagged_above=-999 required=5 tests=[AWL=0.262, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ET48OjgcQRZa for <hybi@core3.amsl.com>; Sun, 10 Oct 2010 21:16:13 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 1C9483A6407 for <hybi@ietf.org>; Sun, 10 Oct 2010 21:16:11 -0700 (PDT)
Received: by gyc15 with SMTP id 15so199581gyc.31 for <hybi@ietf.org>; Sun, 10 Oct 2010 21:17:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.114.7 with SMTP id m7mr2866122agc.153.1286770642045; Sun, 10 Oct 2010 21:17:22 -0700 (PDT)
Received: by 10.91.190.1 with HTTP; Sun, 10 Oct 2010 21:17:21 -0700 (PDT)
In-Reply-To: <20101009204009.GP4712@1wt.eu>
References: <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com> <20101009055723.GL4712@1wt.eu> <AANLkTimY2DjxgZybibSRtc7L34Wns2KhQC=Wa9K6PYku@mail.gmail.com> <20101009204009.GP4712@1wt.eu>
Date: Sun, 10 Oct 2010 21:17:21 -0700
Message-ID: <AANLkTi=Az0RmE1Uipo068zMh3YzgMpM2tQ+zYxaDT47A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Willy Tarreau <w@1wt.eu>
Content-Type: multipart/alternative; boundary="0016361e87b006cc0e04924fa371"
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 04:16:18 -0000

On Sat, Oct 9, 2010 at 1:40 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Sat, Oct 09, 2010 at 09:43:21AM -0700, Eric Rescorla wrote:
> > On Fri, Oct 8, 2010 at 10:57 PM, Willy Tarreau <w@1wt.eu> wrote:
> >
> > > On Fri, Oct 08, 2010 at 05:43:06PM -0700, Eric Rescorla wrote:
> > > > This case definitely needs to be addressed. It's a completely
> standard
> > > > hosting
> > > > configuration.
> > >
> > > it is correctly addressed by respecting the HTTP protocol which
> consists in
> > > sending Connection: close in the request so that there is no risk that
> > > either
> > > the web server or any intermediary consider additional data as a second
> > > request.
> > >
> >
> > As I understand this suggestion, for it to provide security it relies on
> > servers always
> > treating any message with Connection: close as the final message. I don't
> > know if
> > servers always do this correctly, but since it's not really required for
> > interoperability,
> > I suspect that some do not.
>
> I really don't buy that. It's been the default mode for HTTP till 1.0 and
> the default switched to keep-alive with 1.1. Supporting this header is a
> huge requirement to support old browsers, crawlers and various monitoring
> tools, otherwise you get back to the situation where both sides wait for
> the other one to close.


As far as I know, it's not correct that failing to support this header
creates
deadlock.

(1) RFC 2616 does NOT require clients to send Connection: close if they
do not want to create a persistent connection. (The requirement in 8.1.2.1
is only SHOULD level.

(2) Servers are permitted (and at least the servers I am familiar with do)
to simply close the connection regardless of whether it is persistent
(i.e., regardless of whether either side sent a Connection: close).
(S 8.1.4.)

Thus, it's quite possible to implement an HTTP server which does not
deadlock
without looking at the Connection header at all, simply by having a short
timeout.

Moreover, even treating the *presence* of a Connection: close as an
indication
of there being no more requests is merely a SHOULD level requirement
(S 14.10):

  HTTP/1.1 defines the "close" connection option for the sender to
   signal that the connection will be closed after completion of the
   response. For example,

       Connection: close

   in either the request or the response header fields indicates that
   the connection SHOULD NOT be considered `persistent' (section 8.1)
   after the current request/response is complete.

Accordingly, it's not at all clear to me that it's safe to rely on
Connection: close



> Saying that some servers won't support Upgrade
> makes some sense, but saying that some won't support close clearly does
> not.
>

It may be clear to you but it's not clear to me.


>
>
> All other things being equal, I would generally prefer to have a design
> > which failed
> > safely even if the server did not process Connection: close correctly. I
> > believe that the
> > design that Adam and I proposed in fact satisfies that desideratum
>
> But it causes other issues caused by its breakage of interoperability with
> HTTP content-aware infrastructure components such as URL switchers and load
> balancers which are already deployed in almost all shared hosting
> environments
> (namely URLs, Host header and Cookies). So it maybe it satisfies the
> requirement of protection against some types of not yet identified servers,
> but it does not satisfy anymore the compatibility with existing
> infrastructure.
>

I'm not convinced that that's true: Adam has already explained how to make
a
content aware load balancer that speaks Websockets, simply by having the
Host header appear in the encrypted portion.



> Also, if we're talking about imaginary server implementations, why not
> agree that some servers could systematically experience an exploitable
> buffer overflow and fire /bin/sh everytime they receive a CONNECT request
> with anything that does not look like an IP address ?
>

I think there's a fairly obvious distinction between the assumption that
servers do not have trivially exploitable remote vulnerabilities (something
that no protocol design feature in this WG can ameliorate) and the
assumption that you appear to want to make, namely that servers will do
things
that (1) are not required for interoperate and (2) are not even MUST-level
requirements in the relevant specification.

-Ekr

v2.23.0 | Report a Bug | By Email