Re: [http-state] Welcome to http-state
"Blake Frantz" <bfrantz@cisecurity.org> Mon, 12 January 2009 21:47 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33C533A6946; Mon, 12 Jan 2009 13:47:48 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57DF53A696D for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 13:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDtRZUDkztQ2 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 13:47:45 -0800 (PST)
Received: from Nexus.cisecurity.org (nexus.cisecurity.org [128.121.47.218]) by core3.amsl.com (Postfix) with ESMTP id 77D583A693E for <http-state@ietf.org>; Mon, 12 Jan 2009 13:47:44 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 Jan 2009 16:47:22 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan>
In-Reply-To: <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl08HTtJOrd/3oZSaOgWwnmulaLWgAAFdpA
References: <49679299.6060703@corry.biz><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com>
From: Blake Frantz <bfrantz@cisecurity.org>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
Agreed that cross-scheme clobbering is historically allowed by user agents. However, clobbering a cookie is different than causing a cookie to be evicted. The former impacts the integrity of the cookie while the latter impacts cookie availability. The purpose of an anti-clobber mechanism is to protect the integrity of the Secure cookie. To be effective, the user agent must treat cookies of the same origin (domain-match + path-match) and NAME distinctly if their schemes differ. This implies adding a scheme-match check to the user agent. I see such a mechanism as a defense in depth measure - akin to HttpOnly. I'm interested in hearing what everyone thinks about the utility of such a control. Blake -----Original Message----- From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org] On Behalf Of Adam Barth Sent: Monday, January 12, 2009 12:00 PM To: Discuss HTTP State Management Mechanism Subject: Re: [http-state] Welcome to http-state On Mon, Jan 12, 2009 at 11:51 AM, Blake Frantz <bfrantz@cisecurity.org> wrote: > 1. While RFC2109 and draft-pettersen-cookie-v2-03.txt define the > 'Secure' cookie-av to advise the user-agent against sending the cookie > over an insecure transport they do not define the desired user-agent > behavior for cross scheme writing. For example, http://foo.bar > clobbering a cookie set by https://foo.bar. Historically, cross-scheme clobbering has been allowed by user agents because it is impossible to prevent with a bounded amount of storage (due to eviction of Secure cookies). Adam _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry