Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
Adam Barth <ietf@adambarth.com> Sat, 17 July 2010 16:38 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB29B3A67E2 for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 09:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.703
X-Spam-Level:
X-Spam-Status: No, score=-1.703 tagged_above=-999 required=5 tests=[AWL=0.274, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITxAzklcLsx3 for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 09:38:19 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 670F63A67AC for <hasmat@ietf.org>; Sat, 17 Jul 2010 09:38:19 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3418194iwn.31 for <hasmat@ietf.org>; Sat, 17 Jul 2010 09:38:31 -0700 (PDT)
Received: by 10.231.37.75 with SMTP id w11mr2441586ibd.45.1279384711403; Sat, 17 Jul 2010 09:38:31 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id g31sm15457378ibh.22.2010.07.17.09.38.30 (version=SSLv3 cipher=RC4-MD5); Sat, 17 Jul 2010 09:38:31 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3418157iwn.31 for <hasmat@ietf.org>; Sat, 17 Jul 2010 09:38:29 -0700 (PDT)
Received: by 10.231.14.201 with SMTP id h9mr2643966iba.135.1279384708881; Sat, 17 Jul 2010 09:38:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.143.145 with HTTP; Sat, 17 Jul 2010 09:38:08 -0700 (PDT)
In-Reply-To: <AANLkTimMfQSL-0bqhetDTobbwqRZtuO_tWUv86oV7QTW@mail.gmail.com>
References: <4C40B0F7.4010008@KingsMountain.com> <AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gmail.com> <AANLkTimMfQSL-0bqhetDTobbwqRZtuO_tWUv86oV7QTW@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 17 Jul 2010 09:38:08 -0700
Message-ID: <AANLkTikFDwQocaJhxCcwhyh9jWUZixrTMgeROrx9i070@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 16:38:21 -0000
On Sat, Jul 17, 2010 at 9:34 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> That's not a good idea. It's an importnat security property that the >> browser never issues an HTTP request for hosts with STS enabled. The >> reasons for this are somewhat subtle and revolve around deficiencies >> in the cookie protocol. Essentially, because cookies do not have >> integrity, you want to rule out the possibility of an active network >> attacker responding to such requests with a Set-Cookie header. > > It seems to me that this should be fixed by STS. Would something like > 'once STS is enabled a STS server shouldn't allow HTTP to set secure > cookies' (in better language) be enough? I am not really sure what are > the attacks you are referring to. That's already true because the browser never issues HTTP requests to an STS host and therefore can never receive an HTTP response containing a Set-Cookie header. More generally, there are tons of random semantics we could layer onto the STS bit. However, that leads to a complex feature that's hard for sites to reason about and deploy. Instead, it's better to stick with a couple hard-working primitives, which is what the current design aims for. Adam
- [HASMAT] wrt port numbers - comment 51 bug 495115… =JeffH
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… =JeffH
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Devdatta Akhawe
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Steingruebl, Andy
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Kai Engert
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Adam Barth
- Re: [HASMAT] wrt port numbers - comment 51 bug 49… Dan Winship