| CC: | "hybi [...] ietf.org" <hybi [...] ietf.org> |
| Subject: | Re: [hybi] Rejecting client messages with mask=0 (X^0=X) |
| Date: | Mon, 19 Sep 2011 02:26:01 +0200 |
| To: | Greg Wilkins <gregw [...] intalio.com> |
| From: | Bjoern Hoehrmann <derhoermi [...] gmx.net> |
* Greg Wilkins wrote:
Show quoted text
>Given that these kinds of attacks rely on a compromised server, then
>there is ample scope for an evil server to capture lots of mask
>samples from the client and crunch the numbers to try and predict
>future masks. The defence against this is that common browsers with
>open source simply have to use robust random number generators, which
>I'm sure they do.
Actually this will require careful checking as vendors ship their imple-
mentations of the finalized protocol. Using the wrong random number ge-
nerator, or using the right one incorrectly, is a fairly common problem
in browsers and much more so with other implementations. Picking CPAN's
Protocol::WebSocket as random example, the code there is
# Not sure if perl provides good randomness
my $mask = $self->{mask} || rand(2**32);
On Windows, ActiveState's ActivePerl by default comes with only 16 bits
of randomness, as I found out when implementing some Websocket masking
related thing. Of course, with non-browser implementations you do not
generally have the "attacker provides payload" and other problems that
make this vaguely problematic. (BCC-ing the relevant bug tracker.)
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/