[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[hybi] Experiment comparing Upgrade and CONNECT handshakes

From: Adam Barth <ietf at adambarth.com>
To: Hybi <hybi at ietf.org>
Date: Fri, 26 Nov 2010 15:48:16 -0800

David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been
experimenting with the security of the Upgrade-based and CONNECT-based
WebSocket handshakes.  Please find a paper detailing our findings at
this location:

http://www.adambarth.com/experimental/websocket.pdf

== Summary ==

The Upgrade-based handshake is vulnerable to attack in network
configurations involving transparent (or intercepting) proxies.  The
core issue is that some number of transparent proxies do not
understand the HTTP Upgrade mechanism and therefore don't understand
that the remaining bytes sent by the attacker on the socket are not
HTTP.  These proxies treat these bytes as subsequent HTTP requests,
letting the attacker either circumvent firewalls or, worse, poison the
proxy's HTTP cache (depending on how the proxy is configured).  Please
see the paper for details about how these attacks work.

To demonstrate that these attacks work in practice and to estimate how
many users are vulnerable to attack, we ran an experiment on the
Internet using a rich-media advertisement.  We found that for a $100,
we were able to poison the cache of 8 users by using the Upgrade-based
handshake.  When the attacker is able to poison the proxy's cache in
this way, the attacker can exploit /every/ user of the cache, with
potentially dangerous consequences.  For example, the attacker can
poison the proxy's cache entry for
http://www.google-analytics.com/ga.js and inject JavaScript into
approximately 57% of the top 10,000 web sites.

We attempted to mount the same class of attack against the
CONNECT-based handshake.  We were unable to poison any proxy caches
when using the CONNECT-based handshake.  Based on the data we've
collected, vastly most proxies appear to understand the semantics of
CONNECT requests than understand the semantics of the Upgrade
mechanism.  This is consistent with our prior beliefs because CONNECT
is widely used on the Internet to tunnel TLS through proxies whereas
Upgrade is used rarely.

== Recommendation ==

We recommend that the working group adopt the CONNECT-based handshake
described in draft-abarth-websocket-handshake rather than an
Upgrade-based handshake.  Empirically speaking, the CONNECT-based
handshake avoids the real-world attacks we have demonstrated against
Upgrade-based handshakes, requires no more round trips, success
approximately as often, and complies with HTTP.

Kind regards,
Adam

Follow-Ups:
- Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
  - From: Bjoern Hoehrmann
- Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
  - From: Julian Reschke
- Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
  - From: Greg Wilkins

Prev by Date: Re: [hybi] workability (or otherwise) of HTTP upgrade
Next by Date: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
Previous by thread: [hybi] workability (or otherwise) of HTTP upgrade
Next by thread: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.