On the problem of TCP-connection hijacking from Jeffrey Mogul on 1995-10-27 (ietf-http-wg@w3.org from October to December 1995)

From: Jeffrey Mogul <mogul@pa.dec.com>
Date: Fri, 27 Oct 95 11:38:54 MDT
To: Beth Frank <efrank@ncsa.uiuc.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9510271838.AA06291@acetes.pa.dec.com>

A few days ago, Beth wrote:
    We've been warned repeatedly by our security guru that persistent
    TCP connections can by hijacked by unauthorized users without much
    difficulty, so there are different constraints on an authentication
    session than on an open (insecure?) session.
    
This was something I had not considered before, and I'm not a real
expert on the TCP hijacking problem, so I asked several people who
are recognized experts.

It is important to pose the question the right way.  The choice
is not between equal numbers of long or short TCP connections;
for a given number of HTTP requests, the choice is between some number
of long TCP connections or a relatively larger number of short TCP
connections.

Laurent Joncheray, author of "A Simple Active Attack Against TCP", Proc.
5th USENIX UNIX Security Symposium, 1995, pages: 7-19, available via
    http://www.merit.edu/routing.arbiter/RA/security/.index.html
told me:

    One year ago I did some testing on hijacking a TCP connection.  I
    used one method of my own, but I am sure there are others. The
    result are that the dificulty is independent of the lenght of the
    connection.  The hijacking happens at the begining, so the more TCP
    connections you open the more likely you are to be hijacked.

Since persistent-connection HTTP would reduce the number of times
a TCP connection is opened, it reduces the number of chances to
hijack a connection using Laurent's scheme.

Laurent also writes:

    Another result was that the slower the connection (long RTT), the
    more dificult it is to notice the hijacking.

I'm not sure if this is relevant or not.  It may be that if the
network has a lot of RTT variance, then the more TCP connections that
go by, the more likely you are to find one with a large RTT.

Steve Bellovin of AT&T (co-author of the book "Firewalls and Internet
Security" and author of the article "Security Problems in the TCP/IP
Protocol Suite", which appeared in CCR for April, 1989) writes:

    One caveat -- a supershort connection -- which does indeed
    characterize much Web traffic -- might be hard to seize, because
    the parties will be shutting it down very fast.

However, it's not clear that this is really a benefit of short
connections.  I believe that if Laurent's scheme succeeds at all,
it will succeed close enough to the beginning of the connection
to make this moot.  And most Web connections are not "super-short";
they last for several RTTs, at least.

Anyway, I would summarize this as:
	(1) we should be worried about TCP connection hijacking
	(2) persistent connections might make the problem better
	(3) or (less likely) they might make it worse
	(4) but cryptography is the only real solution.

I am not confident enough in this analysis to say that it is
conclusive, since there may be other TCP-hijacking attacks that
we don't yet know about.

Beth, if your security guru would like to provide a more
detailed analysis supporting her/his warning, I think we should
all see it.

-Jeff

Received on Friday, 27 October 1995 12:16:42 UTC