Re: [http-state] Welcome to http-state
"Adam Barth" <ietf@adambarth.com> Tue, 13 January 2009 00:55 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3B123A692C; Mon, 12 Jan 2009 16:55:36 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1ADC43A692C for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 16:55:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id As4Ob6IHbNlV for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 16:55:35 -0800 (PST)
Received: from mail-ew0-f17.google.com (mail-ew0-f17.google.com [209.85.219.17]) by core3.amsl.com (Postfix) with ESMTP id E23723A6886 for <http-state@ietf.org>; Mon, 12 Jan 2009 16:55:34 -0800 (PST)
Received: by ewy10 with SMTP id 10so11814898ewy.13 for <http-state@ietf.org>; Mon, 12 Jan 2009 16:55:17 -0800 (PST)
Received: by 10.210.10.1 with SMTP id 1mr15473042ebj.64.1231808116713; Mon, 12 Jan 2009 16:55:16 -0800 (PST)
Received: by 10.210.18.3 with HTTP; Mon, 12 Jan 2009 16:55:16 -0800 (PST)
Message-ID: <7789133a0901121655s264fb79bp49edec243e9c14af@mail.gmail.com>
Date: Mon, 12 Jan 2009 16:55:16 -0800
From: Adam Barth <ietf@adambarth.com>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
In-Reply-To: <op.unn5yrxyqrq7tp@nimisha.oslo.opera.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com> <op.unn1bhjxqrq7tp@nimisha.oslo.opera.com> <120206B6A348CA498C70E738A2E963514C0CDC@Nexus.cisecurity.lan> <op.unn5yrxyqrq7tp@nimisha.oslo.opera.com>
X-Google-Sender-Auth: a25c3d913fe18e0f
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
On Mon, Jan 12, 2009 at 4:21 PM, Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com> wrote: > My point about $Port is that if the server used either 'Port=' or > 'Port="443"' and checks for the $Port whenever the cookie is received, it > will be able to detect if an unsecure server clobbered it, because that > server would either have to use 'Port="80,443"', or not use Port at all, to > be able to set the cookie and to get the cookie sent to the secure server. We're asking for integrity against an active network attacker (imagine someone who poisons DNS). The active network attacker can spoof an HTTP server on port 443, i.e. http://www.bank.com:443/. When that fake server responds with Set-Cookie2, it can cause the Port attribute to be set to 443. > The receiving server will not be able to detect if a compromised secure > server clobbered the cookie, but the $Origin field I am suggesting should > handle that as long as the receiving server itself hasn't been compromised. Yes, the Origin attribute should fix the issue as long as it includes the scheme (and not just the domain and port). Adam _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry