[whatwg] TCPConnection feedback
Shannon
shannon at arc.net.au
Fri Jun 20 01:26:29 PDT 2008
From: "Michael Carter" <michael.carter at kaazing.com>
Subject: Re: [whatwg] TCPConnection feedback
To: whatwg at whatwg.org
Message-ID:
<24f9a1ba0806191101h13291792wded6d16560fec632 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
> I fail to see how virtual hosting will work for this anyway. I mean we're
>> not talking about Apache/IIS here, we're talking about custom applications,
>> scripts or devices - possibly implemented in firmware or "a few lines of
>> perl". Adding vhost control to the protocol is just silly since the
>> webserver won't ever see the request and the customer application should be
>> able to use any method it likes to differentiate its services. Even URI
>> addressing is silly since again the application may have no concept of
>> "paths" or "queries". It is simply a service running on a port. The only
>> valid use case for all this added complexity is proxying but nobody has
>> tested yet whether proxies will handle this (short of enabling encryption,
>> and even that is untested).
>>
>
> Actually, I've already tested this protocol against some typical forward
> proxy setups and it hasn't caused any problems so far.
Can you elaborate on what you mean by tested? Are you saying you've performed non-TLS, persistent, asynchronous
communication through a proxy + Apache/IIS or proxy + custom application?
>>
>> I'm thinking here that this proposal is basically rewriting the CGI
>> protocol (web server handing off managed request to custom scripts) with the
>> ONLY difference being the asynchronous nature of the request. Perhaps more
>> consideration might be given to how the CGI/HTTP protocols might be updated
>> to allow async communication.
>>
>
> Rewriting the HTTP spec is not feasible and I'm not even convinced its a
> good idea. HTTP has always been request/response so it would make a lot more
> sense to simply use a new protocol then confuse millions of
> developers/administrators who thought they understood HTTP.
As pointed out by others HTTP can preform asynchronously and persistently under certain circumstances (ie TLS
handshake). Microsoft describe the process here: http://msdn.microsoft.com/en-us/library/aa380513(VS.85).aspx
This appears to be bi-directional communication so we can probably assume that proxies and servers supporting TLS could
be made to support other async processes. Also taking into consideration what others have said regarding keep-alive and
protocol switching it would seem that we are looking at a fairly trivial problem as far as HTTP is concerned. My
recommendation is probably less relevant to HTTP than it is to CGI.
Currently CGI has the web server offload a bunch of environment variables that the CGI script decodes. What's missing
then is a way to pass the whole socket off to the script. The Fast CGI protocol is closer to the mark. Wikipedia says:
"Environment information and page requests are sent from the web server to the process over a TCP connection (for remote
processes) or Unix domain sockets (for local processes). Responses are returned from the process to the web server over
the same connection. The connection may be closed at the end of a response, but the web server and the process are left
standing."
So Fast CGI achieves all the main goals for WebSocket (proxy support, virtual hosting, ssl support) using existing
access control rules and configs that ISPs are familiar with. The only thing that is not supported is persistent
bi-directional communication (at least I have found nothing to indicate this). However based on the description above
the only limiting factor seems to be an assumption that all links in the chain close the connection after the initial
server response (making it bi-directional but not persistent). It also isn't strictly asynchronous since the client and
server apparently cannot send/receive simultaneously.
I propose a new protocol called Asynchrous CGI that extends Fast CGI to support asynchonous and persistent channels
rather than the creation of an entirely new WebSockets protocol from scratch.
>>
>> Having said that I still see a very strong use case for low-level
>> client-side TCP and UDP. There are ways to manage the security risks that
>> require further investigation. Even if it must be kept same-domain that is
>> better than creating a new protocol that won't work with existing services.
>> Even if that sounds like a feature - it isn't. There are better ways to
>> handle access-control for non-WebConnection devices than sending garbage to
>> the port.
>>
>
> If we put the access control in anything but the protocol it means that we
> are relying on an external service for security, so it would have to be
> something that is completely locked down. I don't really see what the
> mechanism would be. Can you propose a method for doing this so as to allow
> raw tcp connections without security complications?
I don't understand your point. Existing services use firewalls, authentication, host-allow, etc as appropriate. The only
new issue TCPConnection or WebConnection introduce is the concept of an "non-user-initiated connection". In other words
a remote untrusted server causing the local machine to make a connection without an explicit user action (such as
checking mail in Outlook). I believe the proposed DNS extension combined with some form of explicit user-initiated
priviledge elevation reduce the two main threats: DDOS and browser-based brute-force attacks.
>> How would WebSocket connections be more harmful than something like
>>
>> setInterval(function(){
>> var img = new Image();
>> img.src = "http://victim.example.com/" <http://victim.example.com/> + generateLongRandomString();
>> }, 1000);
>>
>> for example would?
>>
>> It's more harmful because an img tag (to my knowledge) cannot be used to
>> brute-force access, whereas a socket connection could. With the focus on
>> DDOS it is important to remember that these sockets will enable full
>> read/write access to arbitrary services whereas existing methods can only
>> write once per connection and generally not do anything useful with the
>> response.
>>
>
> What do you mean by brute-force access, and how could the proposed protocol
> be used to do it. Can you provide an example?
>
> Also, the proposed protocol will do a single HTTP request, just like the img
> tag, and the response be hidden from the attacker if it wasn't the right
> response. From a potential attacker's point of view, this is a write once
> per connection where the only control they have over the request is the
> value of the url. Attacking with this protocol is identical to attacking
> with an image tag in every way that I can think of.
I already have already provided two examples in previous posts but to reiterate quickly this protocol as currently
described can be manipulated to allow a full challenge-response process. This means I can make every visitors browser
continually attempt username/password combinations against a service, detect when access is granted, and continue to
send commands following the handshake. IMG and FORM allow at most a single single request to be sent before closing the
connection and generally return the data in a form that cannot be inspected inside javascript. I have shown that by
injecting a custom URI into the handshake I can theoretically force a valid server response to trick the browser into
keeping the connection open for the purpose of DDOS or additional attacks. The difference is not in the ability to DDOS,
it's in the ability to maintain a connection in the presense of a server challenge, despite WebSockets proposed
safeguards (keeping in mind these proposed safeguards render the protocol useless for accessing legacy devices).
Shannon
PS (to list): Sorry if this post generates yet another thread. Thunderbird keeps truncating my replies in a way that
seems to invalidate the thread history. I might need to shift to a proper newsreader.
More information about the whatwg
mailing list