IETF Logo Mail Archive

Re: [hybi] A WebSocket handshake

Greg Wilkins <gregw@webtide.com> Thu, 07 October 2010 02:32 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3EEEB3A6FFA for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 19:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.449
X-Spam-Level:
X-Spam-Status: No, score=-0.449 tagged_above=-999 required=5 tests=[AWL=-1.072, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldMRP-aUdL1b for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 19:32:28 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id E28A23A6D54 for <hybi@ietf.org>; Wed, 6 Oct 2010 19:32:26 -0700 (PDT)
Received: by iwn10 with SMTP id 10so384271iwn.31 for <hybi@ietf.org>; Wed, 06 Oct 2010 19:33:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.17.11 with SMTP id q11mr135723iba.63.1286418805780; Wed, 06 Oct 2010 19:33:25 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Wed, 6 Oct 2010 19:33:25 -0700 (PDT)
In-Reply-To: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com>
Date: Thu, 07 Oct 2010 13:33:25 +1100
Message-ID: <AANLkTinw7CpY9d1pW0dEtY9kTLoY6dwoUcXHkLbK7b_q@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 02:32:29 -0000

On 6 October 2010 09:15, Adam Barth <ietf@adambarth.com> wrote:

> == Strawmen ==
> If  the attacker can host an htaccess file at any location a target HTTP server,

This is indeed a strawman.

If the attacker can host an htaccess file in any location, then the
attacker already owns the server!

> Consider, for example, a virtual hosting environment in which the attacker can place PHP scripts on the server.

Then again, the attacker already owns the server. They can write a
script to echo back any cookie or content from any script or XHR, so
the clients cookies are already been exposed.  This has nothing to do
with websockets.



> === Handshake Request ===
> 1) The attacker cannot influence any of the bytes included in the
> message.

If the attacker cannot influence any of the bytes in the handshake,
then an extra round trip will be needed to communicate the WebSocket
URL and subprotocol. Ideally these need to be known before a server
proceeds with accepting a websocket connection.

Thus I think it is unrealistic to propose a content free handshake.

Unfortunately, once you allow content (which I think we must), then a
CONNECT handshake is just as vulnerable to cross protocol attacks to
DNS servers as HTTP is.  If those servers are going to interpret the
method as a frame header and then scan forward to the arbitrary
content provided by the attacker, then they will be equally vulnerable
to POST, GET or CONNECT (with perhaps some variance due to the happen
stance of the actual ascii values of those names).   But luckily, you
have already demonstrated that DNS like servers are not vulnerable to
HTTP with GET and POST, so they are thus not vulnerable to CONNECT.
But this proposal still does not represent any real change of
substance.


> 2) Any intermediaries that understand this message according to its
> HTTP semantics with route the request to a non-existent domain and
> fail the request.  In particular, they will not route the
> Sec-WebSocket-Key to the attacker, making it difficult for the
> attacker to perform actions based on the key.

So that would mean that an intermediary that correctly implements both
CONNECT and
upgrade headers would not be able to work with websockets using this
handshake, while it could with the currently proposed handshake.

I don't think we should have a handshake that punishes correctly
implemented intermediaries.


> 4) This message cannot be generated by a web attacker in today’s browsers.

I expect this is true, although I would like to review the various
auto proxy configuration mechanisms that are available, as they may
allow a compromised CONNECT request.


> == Conclusion ==
>
> We believe this handshake is superior to the current handshake because
> this handshake has a stronger argument for security.  Because the
> attacker cannot control any of the bytes sent by the browser, the
> attacker will have difficulty mounting a cross-protocol attack using
> this handshake.

The strawman analysis of the threat to the upgrade handshake is indeed
a strawman and thus can't be used to justify any claims of
superiority.

Also the main security aspect of this handshake is that it does not
allow attacker supplied content.  This provides a secure but
non-functional handshake.

v2.23.0 | Report a Bug | By Email