Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)

"Steingruebl, Andy" <asteingruebl@paypal.com> Sat, 17 July 2010 15:42 UTC

Return-Path: <asteingruebl@paypal.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D25693A6895 for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 08:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.261
X-Spam-Level:
X-Spam-Status: No, score=-4.261 tagged_above=-999 required=5 tests=[AWL=1.039, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_FORGED_PAYPAL_C=1.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRUhekkDHLIK for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 08:42:12 -0700 (PDT)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by core3.amsl.com (Postfix) with ESMTP id 81A883A680C for <hasmat@ietf.org>; Sat, 17 Jul 2010 08:42:12 -0700 (PDT)
DomainKey-Signature: s=ppcorp; d=paypal.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=l+L0MFufEkoK9WoITMup4HxO+HPSWlP2UJQKQ6dgYGeEx+LIuy1uNyt0 xDZVQ7XEXUo0SV9Kd5sY+whnel1oqtXETOur+sHnOaeuIfOHH2CMEfEg7 3GI9+WgF89C4/59;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=asteingruebl@paypal.com; q=dns/txt; s=ppcorp; t=1279381345; x=1310917345; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; z=From:=20"Steingruebl,=20Andy"=20<asteingruebl@paypal.com >|To:=20Adam=20Barth=20<ietf@adambarth.com>,=20=3DJeffH =20<Jeff.Hodges@kingsmountain.com>|CC:=20IETF=20HASMAT=20 list=20<hasmat@ietf.org>|Date:=20Sat,=2017=20Jul=202010 =2009:42:23=20-0600|Subject:=20RE:=20[HASMAT]=20wrt=20por t=20numbers=20-=20comment=2051=20bug=20495115=0D=0A=09(bu gzilla.mozilla.org)|Message-ID:=20<5EE049BA3C6538409BBE6F 1760F328ABEAAA7924B4@DEN-MEXMS-001.corp.ebay.com> |References:=20<4C40B0F7.4010008@KingsMountain.com>=0D=0A =20<AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gm ail.com>|In-Reply-To:=20<AANLkTiknk-L7XalNxfNZdWQuxH9HmrW M8vRsJO1jsDuq@mail.gmail.com>|Content-Transfer-Encoding: =20quoted-printable|MIME-Version:=201.0; bh=p6KzB56MpcMh0RmbkxN4OTSD7rmkcU/s/JEcKoj5yFg=; b=J6xkVuBFuX20nNry8Xt3LPMXW8jfN6l89tVnnxNfMgKZyPJKt893gmSd efniqbBpWt5iMq2F/OGEoaCIrjFg80aK9brljgc0pYde6gwFqThfAkRD0 kbJ9KLbm93NkuqC;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.55,219,1278313200"; d="scan'208";a="71480866"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-MEXHT-003.corp.ebay.com) ([10.101.112.212]) by den-mipot-002.corp.ebay.com with ESMTP; 17 Jul 2010 08:42:24 -0700
Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.227]) by DEN-MEXHT-003.corp.ebay.com ([10.241.17.54]) with mapi; Sat, 17 Jul 2010 09:42:24 -0600
From: "Steingruebl, Andy" <asteingruebl@paypal.com>
To: Adam Barth <ietf@adambarth.com>, =JeffH <Jeff.Hodges@kingsmountain.com>
Date: Sat, 17 Jul 2010 09:42:23 -0600
Thread-Topic: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
Thread-Index: AcslR00WCHVyQcfKSv2dr3bUhzZmUQAfwWQg
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEAAA7924B4@DEN-MEXMS-001.corp.ebay.com>
References: <4C40B0F7.4010008@KingsMountain.com> <AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gmail.com>
In-Reply-To: <AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: mgPR3bgaK7NdjU1Z2RbhQw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 15:42:14 -0000

> -----Original Message-----
> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On
> Behalf Of Adam Barth


> That's not a good idea.  It's an importnat security property that the browser
> never issues an HTTP request for hosts with STS enabled.  The reasons for
> this are somewhat subtle and revolve around deficiencies in the cookie
> protocol.  Essentially, because cookies do not have integrity, you want to rule
> out the possibility of an active network attacker responding to such requests
> with a Set-Cookie header.

It isn't just cookies though. We want to protect against all (most?) downgrade attacks essentially.  We want to stop all spoofed responses, MITM attacks, etc.  During the initial connection there is obviously a problem of sending cookies unencrypted, but you also leak what URL you are visiting, and open yourself up to spoofed responses.  
--
Andy