Re: [http-state] Welcome to http-state
"Adam Barth" <ietf@adambarth.com> Mon, 12 January 2009 22:00 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65FFC28C0CF; Mon, 12 Jan 2009 14:00:03 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 04BF73A68F0 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:00:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocsmDlXJ4J8c for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:00:01 -0800 (PST)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by core3.amsl.com (Postfix) with ESMTP id AE93D3A6900 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:00:00 -0800 (PST)
Received: by nf-out-0910.google.com with SMTP id b11so1996754nfh.39 for <http-state@ietf.org>; Mon, 12 Jan 2009 13:59:45 -0800 (PST)
Received: by 10.210.43.10 with SMTP id q10mr23799585ebq.179.1231797583733; Mon, 12 Jan 2009 13:59:43 -0800 (PST)
Received: by 10.210.18.3 with HTTP; Mon, 12 Jan 2009 13:59:43 -0800 (PST)
Message-ID: <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
Date: Mon, 12 Jan 2009 13:59:43 -0800
From: Adam Barth <ietf@adambarth.com>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
In-Reply-To: <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan>
MIME-Version: 1.0
Content-Disposition: inline
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan>
X-Google-Sender-Auth: ff48319c507015fb
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
On Mon, Jan 12, 2009 at 1:47 PM, Blake Frantz <bfrantz@cisecurity.org> wrote: > Agreed that cross-scheme clobbering is historically allowed by user > agents. However, clobbering a cookie is different than causing a cookie > to be evicted. The former impacts the integrity of the cookie while the > latter impacts cookie availability. The purpose of an anti-clobber > mechanism is to protect the integrity of the Secure cookie. The attacker can still disrupt the integrity of the Secure cookie by first causing the cookie to be evicted and then creating a new, non-Secure cookie with the same name. This has the same effect as overwriting the Secure cookie. An alternate way to protect the integrity of Secure cookies is to add a "Cookie-Integrity" header that lists the cookies set over HTTPS, as described in 6.2 of http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf > I see such a mechanism as a defense in depth measure - akin to HttpOnly. The Cookie-Integrity header has two advantages over altering the semantics of Set-Cookie: 1) It is backwards compatible with existing servers who might legitimately overwrite Secure cookies over HTTPS (for example, during "logout"). 2) It protects the integrity of the cookies in a clearly defined threat model. Adam _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry