IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Willy Tarreau <w@1wt.eu> Wed, 01 December 2010 20:00 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADA963A6D0E for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 12:00:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.127
X-Spam-Level:
X-Spam-Status: No, score=-2.127 tagged_above=-999 required=5 tests=[AWL=-0.084, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 080DRtihUu4M for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 12:00:41 -0800 (PST)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 5B9383A6D12 for <hybi@ietf.org>; Wed, 1 Dec 2010 12:00:29 -0800 (PST)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id oB1K1Wi3021548; Wed, 1 Dec 2010 21:01:32 +0100
Date: Wed, 01 Dec 2010 21:01:32 +0100
From: Willy Tarreau <w@1wt.eu>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20101201200132.GL19021@1wt.eu>
References: <F96E5CE9-CA7D-4B70-8260-F05456D021FB@gbiv.com> <AANLkTimi5HL56PD9gLHUWs=mcbV3Eaz=GOsK38sxPevb@mail.gmail.com> <AANLkTimydOwRiVkrZn0zmxmvWP_V6yAmNbipOF73NBWD@mail.gmail.com> <AANLkTin_k_s7yOSP1QUXyy66p=gweeepySFG+C=kGYJ+@mail.gmail.com> <AANLkTim9jj0pZzNjrJ+rTXd6ZYnp284ugcKXALcj-Wt6@mail.gmail.com> <AANLkTinb4pDS25HJwnM36NK9ajyEt8MztWriR5ECEgZR@mail.gmail.com> <20101201185759.GI19021@1wt.eu> <AANLkTi=Jx867QjSHNJkwo_ryYML-X9HWjjCTCS=-Cbmd@mail.gmail.com> <20101201194222.GK19021@1wt.eu> <AANLkTi=x8dJkm+yvNOrt5bnj_06bA0HfKTqr3-4QLaAm@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTi=x8dJkm+yvNOrt5bnj_06bA0HfKTqr3-4QLaAm@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, "Roy T. Fielding" <fielding@gbiv.com>, Hybi HTTP <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 20:00:41 -0000

On Wed, Dec 01, 2010 at 11:46:07AM -0800, Eric Rescorla wrote:
> > The fact that .invalid is reserved for invalid domains does not technically
> > imply that it will never resolve. Either the handshake does not care
> > whether
> > the host resolves or not, then we can safely put the correct one, or it
> > relies
> > on the fact that it must never ever resolve and we must use something that
> > cannot be resolved.
> >
> 
> This is incorrect. The threat is that the attacker can *control* the target.

I don't see how you can ensure that an attacker cannot control a target which
is not supposed to exist in the first place. Randomly pointing to anything
that should not exist or that is not even considered to be used means that
no care will be taken about the location it's pointing to.

Some will use "127.0.0.1" which may be enough for an attacker running the
service on a shared server to collect some traffic, some may put "10.10.10.10"
which unfortunately will be routed to the default gateway, etc... Puting a
false information somewhere is just a way to confuse the persons responsible
for ensuring everything is under control.

This security model does not rely on a safe design but on the fact that
components will be deployed in optimal conditions. This approach could as
well lead us to decide that every admin will take care of upgrading all
their proxies to support Upgrade as soon as Websocket is released, just
in case it causes an issue. But in my opinion, both asumptions are wrong.

Regards,
Willy

v2.23.0 | Report a Bug | By Email