[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Koehne Kai
Kai.Koehne at digia.com
Thu Jan 30 15:22:23 CET 2014
> -----Original Message-----
> From: development-bounces+kai.koehne=digia.com at qt-project.org
> [...]
> Again, only 3rd party untrusted content matters here and for that you need a
> sandbox.
I'm not entirely sure '3rd party untrusted content' in the Qt process is needed for these sort of attacks.
That's how I understood it so far:
1. the attack vector is web proxy poisoning. That is , all it takes is an attacker that
a) can access a remote under his control through the same proxy as the target (or gets some user behin the proxy to access the remote)
b) knows how the websocket request will look like
c) Manages to poison the proxy to cache a poisonous answer for the request
The hashing stuff etc tries to prevent b), but strong entropy is required so that the attacker can't just 'guess' future requests e.g. from monitoring previous requests.
Correct me if I'm wrong, but that scheme will work independent of whether the user / app itself runs untrusted content etc.
Regards
Kai
More information about the Development
mailing list