W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: [Moderator Action] #144: Attacks from Same Host (OppSec)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Sun, 13 Mar 2016 17:49:21 +0000
To: HTTP WG <ietf-http-wg@w3.org>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>, Mike Bishop <Michael.Bishop@microsoft.com>
Message-Id: <20160313174847.DD97B389F@welho-filter4.welho.com>


| The only thing remaining then is Kari's suggestion that the .well-known 
| file also include the alternatives, to mitigate the case when an attacker 
| has 1) the ability to inject response headers, 2) the ability to listen 
| on a port on the same host, and 3) doesn't have the ability to modify 
| .well-known (AKA "shared hosting w/ shell access").

( I mentioned this earlier, but not to: HTTP WG <ietf-http-wg@w3.org> )

Yes, I like that browser can defend against this attack also.
Mike Bishop described that attack:


| http://users.example.com is a shared server which hosts user home
| pages.  Eve places a config file in her wwwpages directory to add an
| Alt-Svc header to pages served out of http://users.example.com/~eve
| announcing an alternative service for http://users.example.com on port
| 23412.  Bob is using an Alt-Svc-capable browser.  After Bob has
| visited http://users.example.com/~eve, he visits
| http://users.example.com/~alice.  His browser, obeying Eve's Alt-Svc
| header, accesses the alternative service on port 23412, where Eve is
| running a forward proxy that replaces all pages except her own with
| dancing hamsters.

I also have home page on my hosting provider like

(where 'account' is user id used on shell access. )

My hosting provider ssh access (that is how pages are modified.)

There also seems to have over 5000 other accounts,
so there is probably quite many home pages like that.

These are Apache Per-user web directories

I suspect that shell access is not be as rare than you
imagine. At least search for "web host provider with 
shell access" tells that this feature is provided.

I do not know if these accounts on these providers
share same origin (aka http://home.hosting.provider/~account/ or

This is fine when http://home.hosting.provider/.well-known/http-opportunistic
does not exists.

Also I have sites http://account.hosting.provider/,
https://account.hosting.provider/ and http://www.elmme-mailer.org/
but these does not share same origin with other accounts on here.
So on these sites sharing is not a problem.

And documentation on my hosting provider says that
users can run application servers which listen ports between

This is allowed but not not recommended – Using of FastCGI or CGI
is recommended.

If hosting provider wants provide Opportunistic Security for HTTP 
for http://home.hosting.provider/, it needs add


with content

 "origins": [ "http://home.hosting.provider/" ]

But now any of 5000 users can also run listener on home.hosting.provider
and inject

Alt-Svc: h2=":30000"

header field on his pages http://home.hosting.provider/~username/ when 
using CGI.

home.hosting.provider can defend this with filtering Alt-Svc:
from UserDir -pages generated with CGI or FastCGI

Alternatively home.hosting.provider can defend this attack with NOT 
publishing http://home.hosting.provider/.well-known/http-opportunistic
but instead using valid certificate (RFC for "HTTP Alternative Services").

There exists wildcard certificate for *.hosting.provider -name.

But then home.hosting.provider can not use "commit" either because 
that requires http://home.hosting.provider/.well-known/http-opportunistic

But there is little what browser can use to defend against that attack:

1) Browser can just ignore Alt-Svc: if there is not valid certificate
2) Browser can ignore Alt-Svc: if there is ~ on URL
3) Browser can ignore Alt-Svc which gives port > 1023
4) Browser can ignore Alt-Svc for all other paths except 
  '/' , '/.well-known/…' and '*' (OPTIONS)

But these 2) and 3) does give much guarantee to browser.

Then browser is just ignoring Alt-Svc: if there is not valid certificate
so no "Opportunistic Security for HTTP" -support, just support for
"HTTP Alternative Services". 

Perhaps option 4) makes sense for browser (i.e. look that 
/.well-known/http-opportunistic ALSO returns same 
Alt-Svc: -header field). However this is not actually specified.
This is effectively also same than that .well-known also 
lists alternatives. And this does not work if several 
alternatives are rotated on Alt-Svc: -header field.

Browser is easier to defend for this attack (and support
Opportunistic Security for HTTP") if there is
"alternatives" member in the http-opportunistic 
well-known resource.

That "alternatives" member lists valid alternatives which 
are allowed for given in Alt-Svc: -header filed.
I do not have suggested exact syntax for this member. 

Alternatively browser can defend for this attack
if there is "valid-ports" member in the http-opportunistic 
well-known resource. This is enough when origin and alternative 
service’s hostnames are the same.

This is perhaps over-engineering here:

Alternatively browser can defend for this attack
if "origins" member in the http-opportunistic is
not list of strings but if "origins" is
a object where member names are origins
and member values are either list of
alternatives or list of valid-ports.

That is: every origin lists which are alternatives
for it. But I think that this is too complicated:

HTTP/1.1 200 OK
Content-Type: application/json
Connection: close

 "origins": { "http://example.com": [ 88 ],
              "http://www.example.com:81":  87 ] },
 "commit": 86400

(( And then it makes sense to move "commit" also 
  to be per-origin:

 "origins": { "http://example.com": {
      "valid-ports":  [ 88 ],
      "commit": 86400 },
     "http://www.example.com:81": {
	"valid-ports":  [ 87 ],
      "commit": 86400 },

This is too complex.  So just keep it simple:

 "origins": ["http://example.com", "http://www.example.com:81"],
 "commit": 86400,
 "valid-ports": [ 88, 87 ]

or "alternatives" instead of "valid-ports".


There is no so many different browsers, so I think 
that makes sense them defend against this attack (if 
they support "Opportunistic Security for HTTP").

Getting origins / sites correct is harder, I think.
It is quite easy to add Alt-Svc: header field
to some places but harder to filter Alt-Svc: 
header field from all unwanted outputs. 

/ Kari Hurtta
Received on Monday, 14 March 2016 13:30:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC