IETF Logo Mail Archive

Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)

Adam Barth <ietf@adambarth.com> Sat, 17 July 2010 20:17 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15D8C3A6826 for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 13:17:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.72
X-Spam-Level:
X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[AWL=0.257, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGP-GKt+7GuD for <hasmat@core3.amsl.com>; Sat, 17 Jul 2010 13:17:27 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id D18A73A69C6 for <hasmat@ietf.org>; Sat, 17 Jul 2010 13:17:27 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3549583iwn.31 for <hasmat@ietf.org>; Sat, 17 Jul 2010 13:17:40 -0700 (PDT)
Received: by 10.231.177.40 with SMTP id bg40mr2460977ibb.150.1279397860349; Sat, 17 Jul 2010 13:17:40 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r3sm16280233ibk.7.2010.07.17.13.17.39 (version=SSLv3 cipher=RC4-MD5); Sat, 17 Jul 2010 13:17:40 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3549543iwn.31 for <hasmat@ietf.org>; Sat, 17 Jul 2010 13:17:38 -0700 (PDT)
Received: by 10.231.183.200 with SMTP id ch8mr3111036ibb.124.1279397858158; Sat, 17 Jul 2010 13:17:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.143.145 with HTTP; Sat, 17 Jul 2010 13:17:17 -0700 (PDT)
In-Reply-To: <5EE049BA3C6538409BBE6F1760F328ABEAAA7924C6@DEN-MEXMS-001.corp.ebay.com>
References: <4C40B0F7.4010008@KingsMountain.com> <AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gmail.com> <AANLkTimMfQSL-0bqhetDTobbwqRZtuO_tWUv86oV7QTW@mail.gmail.com> <AANLkTikFDwQocaJhxCcwhyh9jWUZixrTMgeROrx9i070@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEAAA7924C6@DEN-MEXMS-001.corp.ebay.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 17 Jul 2010 13:17:17 -0700
Message-ID: <AANLkTinfPWDO00k6nXVbtzPVODkdQYhK64xo1Y1vc9gt@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 20:17:29 -0000

On Sat, Jul 17, 2010 at 12:35 PM, Steingruebl, Andy
<asteingruebl@paypal.com> wrote:
>> -----Original Message-----
>> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On Behalf Of Adam Barth
>> > It seems to me that this should be fixed by STS. Would something like
>> > 'once STS is enabled a STS server shouldn't allow HTTP to set secure
>> > cookies' (in better language) be enough? I am not really sure what are
>> > the attacks you are referring to.
>>
>> That's already true because the browser never issues HTTP requests to an
>> STS host and therefore can never receive an HTTP response containing a Set-
>> Cookie header.
>>
>> More generally, there are tons of random semantics we could layer onto the
>> STS bit.  However, that leads to a complex feature that's hard for sites to
>> reason about and deploy.  Instead, it's better to stick with a couple hard-
>> working primitives, which is what the current design aims for.
>
> Ok, I feel like I'm making a day of contradicting Adam, but one of the points of the HASMAT work is to see what other policy directives we can come up with, and they bestway to turn some of that into policy mechanisms.
>
> Lots of things are currently out there scattered all over:
>
> X-Frame-Options
> CSP
> STS
> No-Sniff
> And even headers to turn off XSS sanitization features in browsers for a given site.
>
> What we're hoping to do through some of the HASMAT work is condense a lot of that into a more coherent policy mechanism, and add a few things  (and I'm just brainstorming here).  Ideally these policies could be controlled in one place and wouldn't have to get set for every response by a site, they could be centrally controlled and authoritative.
>
>  - This site only sets "Secure" and "HTTPonly" cookies. Don't pay attention to the individual cookies, this policy statement is authoritative
>  - This site is always UTF-8. Don't ever sniff content here.
>  - This site should never be framed, or only framed under these conditions.

Oh, I agree with that.  I guess what I meant was we'd be better off
having more dials to turn, each of which does something clear and
understandable, rather than having a big on/off switch that does
something complicated and mysterious.

For example, in the original ForceHTTPS proposal, we had "I don't want
mixed content" layered on as well.  We took that out because we
thought it made sense to be able to control that piece of policy
independently.

Adam

v2.23.0 | Report a Bug | By Email