IETF Logo Mail Archive

[hybi] Is masking required?

Dave Cridland <dave@cridland.net> Tue, 21 December 2010 10:46 UTC

Return-Path: <dave@cridland.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4A6F3A69A3 for <hybi@core3.amsl.com>; Tue, 21 Dec 2010 02:46:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Level:
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TybdeIe3L8xf for <hybi@core3.amsl.com>; Tue, 21 Dec 2010 02:46:08 -0800 (PST)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [IPv6:2001:470:1f09:882:2e0:81ff:fe29:d16a]) by core3.amsl.com (Postfix) with ESMTP id 345D83A67EA for <hybi@ietf.org>; Tue, 21 Dec 2010 02:46:08 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by peirce.dave.cridland.net (Postfix) with ESMTP id C47641168119 for <hybi@ietf.org>; Tue, 21 Dec 2010 10:48:02 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at peirce.dave.cridland.net
Received: from peirce.dave.cridland.net ([127.0.0.1]) by localhost (peirce.dave.cridland.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4Uo1jNHPvjP for <hybi@ietf.org>; Tue, 21 Dec 2010 10:47:58 +0000 (GMT)
Received: from puncture (puncture.dave.cridland.net [IPv6:2001:470:1f09:882:221:85ff:fe3f:1696]) by peirce.dave.cridland.net (Postfix) with ESMTPA id 4461C1168113 for <hybi@ietf.org>; Tue, 21 Dec 2010 10:47:58 +0000 (GMT)
MIME-Version: 1.0
Message-Id: <2792.1292928478.260433@puncture>
Date: Tue, 21 Dec 2010 10:47:58 +0000
From: Dave Cridland <dave@cridland.net>
To: Server-Initiated HTTP <hybi@ietf.org>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Subject: [hybi] Is masking required?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Dec 2010 10:46:09 -0000

I'm going to make a series of statements which I believe to be  
uncontraversial. I'm then going to draw some conclusions from these,  
which seem to be contraversial.

First, the statements:

1) There exist transparent proxies, by which we mean an intermediary  
which the browser and server are both unaware of. (ie, this is  
network transparency and not mere semantic transparency).

2) Some of these transparent proxies can be fooled into rerouting  
requests and caching responses erroneously if the traffic appears to  
be HTTP. This allows an attacker to access data behind a firewall, or  
alternately poison the cache of a proxy.

3) There exists a paper describing an experiment conducted to test  
this hypothesis.

4) The paper also describes a CONNECT request, which causes some  
transparent proxies to cease to treat the remaining data flow as HTTP.

5) The results of this experiment showed that around 1 in every  
10,000 proxies was still trying to find HTTP requests in subseuqent  
data, although no security attacks (point (2)) were found against any  
of the 50,000 or so tested.

6) If masking were deployed, this is believed to prevent any  
transparent proxies from finding HTTP requests in the websocket data  
flow.

7) The attacks in (2) are mountable using Flash and Java.

8) Masking will prevent sendfile()-like interfaces, and in general  
cause dataflow within a device to be routed consistently through the  
CPU, increasing the hardware cost of websockets.

9) AES in particular will have export licensing considerations.

Second, some observations and conclusions:

a) We seem to have decided that we want websockets to be available  
even in environments that have decided to block Java or Flash (or,  
one assumes, other downloadable, non-sandboxed, code). This implies  
we need to be significantly more secure. I don't think this is  
particularly contraversial, but I would offer the suggestion that we  
are unlikely to be able to attain 100% security.

b) We know that a CONNECT request (or pseudo-CONNECT as in my  
proposal) will prevent attacks in some 99.99% of cases, with no cases  
actually found in field testing. This to my mind convinces me that a  
CONNECT is a useful approach. It can be made semantically transparent  
and conformant to existing HTTP specifications quite easily.

c) Whilst I entirely understand that masking prevents some  
theoretical problems, the only experimental data we have suggests  
that such problems are just that - theoretical. This is nothing like  
the kinds of issues we had with open mail relays, where every  
mailserver was, once, affected. This is a handful of transparent  
proxies which might be affected. I think a sense of proportion to our  
response seems sensible. The issues raised in (8) and (9) seem to  
suggest caution.

d) Finally, any proxy affected by the attacks in (2) is also affected  
by Flash or Java (see point 7), so the operators should become aware  
and fix or replace such intermediaries anyway.

My personal conclusion is that the practical benefits of masking  
remain theoretical, and simply do not outweigh the costs, which do  
exist.

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

v2.23.0 | Report a Bug | By Email