[DUG] Web Sockets security hole
John Bird
johnkbird at paradise.net.nz
Mon Dec 13 11:49:26 NZDT 2010
As I understand, a Web Socket connecting via a proxy can be fooled in the case of many proxies to connect to a different site altogether due to a weakness in the UPGRADE protocol which can be exploited by poisoning the DNS cache. The CONNECT protocol (not yet implemented) seems to be OK, and wss (Secure sockets may be ok). It looks like a hole in security for the way many or most proxies are implemented that affects Web Sockets going via them.
I am still unsure how major this is and the implications, but as far as Opera and Firefox V4 are concerned they have turned off this protocol in HTML5 until it can be made secure.
It looks like a relative of the DNS poisoning cache security hole that had major releases of patches by a wide range of suppliers done urgently about a year ago to fix a basic DNS flaw also involving poisoning the DNS cache to point browsers and HTTP traffic to the wrong IP address.
My main questions were: is there much Delphi stuff out there using Web Sockets? and might this vulnerability with proxies something such people might need to take a look at (even if the proxy were not a Delphi product)?
(I use diddly squat Indy stuff myself so all of this is at a distance from me – just wanted to pass it on)
John
From: Jolyon Smith
Sent: Monday, December 13, 2010 11:20 AM
To: 'NZ Borland Developers Group - Delphi List'
Subject: Re: [DUG] Web Sockets security hole
I may be wrong but a quick read of the top link suggests to me that the issues lies specifically in the implementation of various proxies.
If that’s the case, any implications for Delphi would be for people implementing proxies using Indy, but NOT for clients or servers themselves.
From: delphi-bounces at delphi.org.nz [mailto:delphi-bounces at delphi.org.nz] On Behalf Of John Bird
Sent: Monday, 13 December 2010 11:08
To: NZ Borland Developers Group - Delphi List
Subject: [DUG] Web Sockets security hole
Here is a reference I picked up on the Firefox list about a a security hole in Web Sockets – and affects Java, Flash and HTML5. Research done by Adam Barth of Google.
http://www.ietf.org/mail-archive/web/hybi/current/msg04744.html
http://www.adambarth.com/experimental/websocket.pdf
https://bugzilla.mozilla.org/show_bug.cgi?id=616733
As I am not an Indy etc expert I was wondering if anyone wanted to comment if there is any implication for Delphi?
John
--------------------------------------------------------------------------------
_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: delphi at delphi.org.nz
Admin: http://delphi.org.nz/mailman/listinfo/delphi
Unsubscribe: send an email to delphi-request at delphi.org.nz with Subject: unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20101213/34d475fb/attachment-0001.html
More information about the Delphi
mailing list