Re: [http-state] Seeking feedback on Security Considerations

Achim Hoffmann <ah@securenet.de> Sun, 28 February 2010 12:38 UTC

Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46B3F3A8768 for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.455
X-Spam-Level:
X-Spam-Status: No, score=0.455 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOZonD8g07v8 for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:38:05 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 739DD3A8764 for <http-state@ietf.org>; Sun, 28 Feb 2010 04:38:05 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id 0A62F27192 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:38:05 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 06309140242E; Sun, 28 Feb 2010 13:38:05 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id 419C41402427; Sun, 28 Feb 2010 13:38:04 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24831-01; Sun, 28 Feb 2010 13:38:04 +0100 (CET)
Received: from [172.16.18.33] (ah.vpn.securenet.de [172.16.18.33]) by oxee.securenet.de (Postfix) with ESMTP id 8E1071402425; Sun, 28 Feb 2010 13:38:03 +0100 (CET)
Message-ID: <4B8A63AA.7080909@securenet.de>
Date: Sun, 28 Feb 2010 13:38:02 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <7789133a1002130001l6137f704va9e04a4edade1ee7@mail.gmail.com> <op.u72azuuiqrq7tp@acorna.oslo.opera.com> <5c4444771002141046k78a37fbh3aeae1ce95acbf5@mail.gmail.com>
In-Reply-To: <5c4444771002141046k78a37fbh3aeae1ce95acbf5@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Seeking feedback on Security Considerations
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2010 12:38:06 -0000

>> Should the fact that clients also support cookies through HTML meta tags and
>> the Javascript document.cookie API be mentioned? The latter could be a
>> concern when including external Javascripts directly into a HTML document.
> 
> Hum...  Maybe we should add a new section about interactions with non-HTTP APIs?

It's partially coverd in the 7.5. Weak Confidentiality section.
I'm aware of at least following non-HTTP issues:
  * meta tag in the message body (HTML)
  * client API (in particular browser access to HTTP headers and DOM)
  * servers/framworks using URL rewriting (it's HTTP, but not the protocol itself)
  * server log files
  * permanent cookie store on the client

Achim