Re: [xmpp] See-other-uri and insecure web sockets

Kevin Smith <kevin@kismith.co.uk> Tue, 04 March 2014 16:44 UTC

Return-Path: <k.i.smith@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7AA21A01CD for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 08:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TdVPnJg_Cod for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 08:44:32 -0800 (PST)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0BA1A0191 for <xmpp@ietf.org>; Tue, 4 Mar 2014 08:44:32 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id a1so5211254wgh.34 for <xmpp@ietf.org>; Tue, 04 Mar 2014 08:44:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=D/8mIAxzn2OUwo6I5WA9Wll0qCdiXfWBwH4+ol7HpfQ=; b=dmrD7D4R2O2RGmRgfJ9NgyzYqAwROF3HZus21JRZKgmCDRcSH9aiDNwTQ1pFf9rsBa 5iOyXtiQ/O4sfgx4sR1AbMo18N+/smbY/48RLfwJa3Xvv2aSAOwYcg1mK95VDiPsztyk i3ebh2FIEzEomUWGpVEnjg/25g+QUm/abJgbc6/VtGoXoNoHOOit0aoBxTfb/FePiahs 49PoMSqAu7x8TzYUNIV732JM/AS8E0+fSGLvQtJLDc9kx+VeAhylyUF0JC3f3dnFGUyy +7JneUo+wNRFkhChVaiLoUR5DUlWux56dHfHysQeO22MjPBgMUwTTgYh/Z/EkMAAoUyc /4mQ==
MIME-Version: 1.0
X-Received: by 10.195.13.103 with SMTP id ex7mr769396wjd.3.1393951468431; Tue, 04 Mar 2014 08:44:28 -0800 (PST)
Sender: k.i.smith@gmail.com
Received: by 10.217.96.196 with HTTP; Tue, 4 Mar 2014 08:44:28 -0800 (PST)
In-Reply-To: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com>
References: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com>
Date: Tue, 4 Mar 2014 16:44:28 +0000
X-Google-Sender-Auth: UJbWaFnXXXjQWtlv_NrPAIHtAoc
Message-ID: <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com>
From: Kevin Smith <kevin@kismith.co.uk>
To: Jonathan Lennox <jonathan@vidyo.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/SX0CWOBDRGBOgcgFgPMC5QzgInU
Cc: "xmpp@ietf.org" <xmpp@ietf.org>
Subject: Re: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kevin@kismith.co.uk
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 16:44:38 -0000

On Tue, Mar 4, 2014 at 3:31 PM, Jonathan Lennox <jonathan@vidyo.com> wrote:
> As requested -- I reviewed the text forbidding see-other-uri downgrading in the current version of draft-ietf-xmpp-websocket, and I'm happy with it.
>
> What I was responding to at the mic was a comment that StPeter made during his presentation, suggesting that in addition, a future version of the draft would recommend that see-other-uri received over an insecure (ws or http) connection should be ignored.

It feels to me like there are potentially auth mechanism downgrade
attacks associated here, if people were to do the Wrong Thing. So I
think at least a note is worthwhile.

The document does, though, tell everyone to do wss, so this is
arguably not an issue.

>
> I think this is a bad idea -- I don't see any reason why see-other-uri should be any less trusted than anything else received over an insecure connection.  And indeed, I think that most servers (if they have a ws listener at all) would want to respond to insecure XMPP connections by sending a see-other-uri pointing at their wss uri!

I think this scenario is somewhat unlikely - in this case the
discovery would have pointed to was (either hard-coded or over 156 or
whatever).

/K