<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-NZ link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I guess what I meant was, the vulnerability exists on the proxy. Poisioning the cache requires deliberate (or freakishly inadvertent accidental) steps taken to compromise the proxy. Yes, other clients then using that proxy are I guess potentially compromised but there’s not a whole heck of a lot you can do about that, is there?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Browsers have a responsibility to prevent themselves from being used in an attack, because a browser does something that other connected sockets applications don’t do... i.e. download and execute code from arbitrary sources – web sites. Opera and Firefox et al have to close the hole because if they didn’t, miscreants could contrive a means to have users visit a site that downloads exploit code to be run in the browser.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can clean up your Delphi code (assuming it even needs it) all you like, but if somebody else comes along and compromises a proxy that your application is routing traffic through (whether by choice or dint of circumstance), then you are still screwed. afaict.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> delphi-bounces@delphi.org.nz [mailto:delphi-bounces@delphi.org.nz] <b>On Behalf Of </b>John Bird<br><b>Sent:</b> Monday, 13 December 2010 11:49<br><b>To:</b> NZ Borland Developers Group - Delphi List<br><b>Subject:</b> Re: [DUG] Web Sockets security hole<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>As I understand, a Web Socket connecting via a proxy can be fooled in the case of many proxies to connect to a different site altogether due to a weakness in the UPGRADE protocol which can be exploited by poisoning the DNS cache. The CONNECT protocol (not yet implemented) seems to be OK, and wss (Secure sockets may be ok). It looks like a hole in security for the way many or most proxies are implemented that affects Web Sockets going via them.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>I am still unsure how major this is and the implications, but as far as Opera and Firefox V4 are concerned they have turned off this protocol in HTML5 until it can be made secure.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>It looks like a relative of the DNS poisoning cache security hole that had major releases of patches by a wide range of suppliers done urgently about a year ago to fix a basic DNS flaw also involving poisoning the DNS cache to point browsers and HTTP traffic to the wrong IP address.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>My main questions were: is there much Delphi stuff out there using Web Sockets? and might this vulnerability with proxies something such people might need to take a look at (even if the proxy were not a Delphi product)?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>(I use diddly squat Indy stuff myself so all of this is at a distance from me – just wanted to pass it on)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>John<o:p></o:p></span></p></div><div><div><div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <a href="mailto:jsmith@deltics.co.nz" title="jsmith@deltics.co.nz">Jolyon Smith</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Sent:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> Monday, December 13, 2010 11:20 AM<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>To:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <a href="mailto:delphi@delphi.org.nz" title="delphi@delphi.org.nz">'NZ Borland Developers Group - Delphi List'</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Subject:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> Re: [DUG] Web Sockets security hole<o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I may be wrong but a quick read of the top link suggests to me that the issues lies specifically in the implementation of various <u>proxies</u>.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><u><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If</span></u></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> that’s the case, any implications for Delphi would be for people implementing proxies using Indy, but NOT for clients or servers themselves.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> delphi-bounces@delphi.org.nz [mailto:delphi-bounces@delphi.org.nz] <b>On Behalf Of </b>John Bird<br><b>Sent:</b> Monday, 13 December 2010 11:08<br><b>To:</b> NZ Borland Developers Group - Delphi List<br><b>Subject:</b> [DUG] Web Sockets security hole<o:p></o:p></span></p></div></div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Here is a reference I picked up on the Firefox list about a a security hole in Web Sockets – and affects Java, Flash and HTML5. Research done by Adam Barth of Google.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><a href="http://www.ietf.org/mail-archive/web/hybi/current/msg04744.html" title="http://www.ietf.org/mail-archive/web/hybi/current/msg04744.html">http://www.ietf.org/mail-archive/web/hybi/current/msg04744.html</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><a href="http://www.adambarth.com/experimental/websocket.pdf" title="http://www.adambarth.com/experimental/websocket.pdf">http://www.adambarth.com/experimental/websocket.pdf</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=616733" title="https://bugzilla.mozilla.org/show_bug.cgi?id=616733">https://bugzilla.mozilla.org/show_bug.cgi?id=616733</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>As I am not an Indy etc expert I was wondering if anyone wanted to comment if there is any implication for Delphi?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>John<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p></div></div></div><div class=MsoNormal align=center style='text-align:center'><span style='font-family:"Calibri","sans-serif";color:black'><hr size=2 width="100%" align=center></span></div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:black'>_______________________________________________<br>NZ Borland Developers Group - Delphi mailing list<br>Post: delphi@delphi.org.nz<br>Admin: http://delphi.org.nz/mailman/listinfo/delphi<br>Unsubscribe: send an email to delphi-request@delphi.org.nz with Subject: unsubscribe<o:p></o:p></span></p></div></div></div></div></body></html>