Adam Barth <ietf@adambarth.com>

David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been experimenting with the security of the Upgrade-based and CONNECT-based WebSocket handshakes. Please find a paper detailing our findings at this location: http://www.adambarth.com/experimental/websocket.pdf == Summary == The Upgrade-based handshake is vulnerable to attack in network configurations involving transparent (or intercepting) proxies. The core issue is that some number of transparent proxies do not understand the HTTP Upgrade mechanism and therefore don't understand that the remaining bytes sent by the attacker on the socket are not HTTP. These proxies treat these bytes as subsequent HTTP requests, letting the attacker either circumvent firewalls or, worse, poison the proxy's HTTP cache (depending on how the proxy is configured). Please see the paper for details about how these attacks work. To demonstrate that these attacks work in practice and to estimate how many users are vulnerable to attack, we ran an experiment on the Internet using a rich-media advertisement. We found that for a $100, we were able to poison the cache of 8 users by using the Upgrade-based handshake. When the attacker is able to poison the proxy's cache in this way, the attacker can exploit /every/ user of the cache, with potentially dangerous consequences. For example, the attacker can poison the proxy's cache entry for http://www.google-analytics.com/ga.js and inject JavaScript into approximately 57% of the top 10,000 web sites. We attempted to mount the same class of attack against the CONNECT-based handshake. We were unable to poison any proxy caches when using the CONNECT-based handshake. Based on the data we've collected, vastly most proxies appear to understand the semantics of CONNECT requests than understand the semantics of the Upgrade mechanism. This is consistent with our prior beliefs because CONNECT is widely used on the Internet to tunnel TLS through proxies whereas Upgrade is used rarely. == Recommendation == We recommend that the working group adopt the CONNECT-based handshake described in draft-abarth-websocket-handshake rather than an Upgrade-based handshake. Empirically speaking, the CONNECT-based handshake avoids the real-world attacks we have demonstrated against Upgrade-based handshakes, requires no more round trips, success approximately as often, and complies with HTTP. Kind regards, Adam