Re: [http-state] Welcome to http-state

"Adam Barth" <ietf@adambarth.com> Tue, 13 January 2009 00:58 UTC

Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAD0A28C159; Mon, 12 Jan 2009 16:58:35 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 469D428C159 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 16:58:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wY7QlGFV9p5E for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 16:58:34 -0800 (PST)
Received: from mail-ew0-f17.google.com (mail-ew0-f17.google.com [209.85.219.17]) by core3.amsl.com (Postfix) with ESMTP id 6893E28C158 for <http-state@ietf.org>; Mon, 12 Jan 2009 16:58:34 -0800 (PST)
Received: by ewy10 with SMTP id 10so11815725ewy.13 for <http-state@ietf.org>; Mon, 12 Jan 2009 16:58:18 -0800 (PST)
Received: by 10.210.59.14 with SMTP id h14mr10429721eba.81.1231808298053; Mon, 12 Jan 2009 16:58:18 -0800 (PST)
Received: by 10.210.18.3 with HTTP; Mon, 12 Jan 2009 16:58:17 -0800 (PST)
Message-ID: <7789133a0901121658o6935826dmef551c47dea9fd49@mail.gmail.com>
Date: Mon, 12 Jan 2009 16:58:17 -0800
From: Adam Barth <ietf@adambarth.com>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
In-Reply-To: <120206B6A348CA498C70E738A2E963514C0CDB@Nexus.cisecurity.lan>
MIME-Version: 1.0
Content-Disposition: inline
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan> <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CDB@Nexus.cisecurity.lan>
X-Google-Sender-Auth: e657b6688cf52108
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org

On Mon, Jan 12, 2009 at 3:40 PM, Blake Frantz <bfrantz@cisecurity.org> wrote:
> I see what you're a saying. However, if the user-agent actively asserts
> "the integrity of these cookies is preserved" or the server operates on
> the assumption that the cookie it previously set over HTTPS did not get
> overwritten via HTTP (much like servers currently assume the user-agent
> implements the same-origin policy), the server is still in the same
> position - it must trust what the user agent is telling it with respect
> to cookie integrity.

I don't understand what you mean by "actively asserts."  My point is
that a browser cannot do this with the current headers without a
unbounded amount of storage.

>> Oops.  Typo.  I meant "overwrite Secure cookies over HTTP (for
>> example, during logout)."
>
> Ah, yes, I agree this use case would break. Though, I don't think I've
> encountered many, if any, instances of this. That surely doesn't mean a
> million of them don't exist :)

How would you know if you've encountered instance of this pattern?  In
any case, we can instrument a browser and collect data if we want to
know how common this is.

Adam
_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state