Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?
Daniel Stenberg <daniel@haxx.se> Thu, 26 August 2010 20:56 UTC
Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C94D3A691A for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 13:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.168
X-Spam-Level:
X-Spam-Status: No, score=-3.168 tagged_above=-999 required=5 tests=[AWL=-0.919, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVfcmeIrU+BU for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 13:56:57 -0700 (PDT)
Received: from giant.haxx.se (giant.haxx.se [80.67.6.50]) by core3.amsl.com (Postfix) with ESMTP id 5880E3A6AD8 for <http-state@ietf.org>; Thu, 26 Aug 2010 13:56:56 -0700 (PDT)
Received: from giant.haxx.se (giant.haxx.se [80.67.6.50]) by giant.haxx.se (8.14.3/8.14.3/Debian-9.1) with ESMTP id o7QKvTns027782 for <http-state@ietf.org>; Thu, 26 Aug 2010 22:57:30 +0200
Date: Thu, 26 Aug 2010 22:57:29 +0200
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: HTTP-state mailing list <http-state@ietf.org>
In-Reply-To: <4cefb87bd1a796e242c1218b50629f1c.squirrel@sm.webmail.pair.com>
Message-ID: <alpine.DEB.2.00.1008262239160.31575@tvnag.unkk.fr>
References: <4cefb87bd1a796e242c1218b50629f1c.squirrel@sm.webmail.pair.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.3.5 (giant.haxx.se [80.67.6.50]); Thu, 26 Aug 2010 22:57:30 +0200 (CEST)
Subject: Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 20:56:59 -0000
On Thu, 26 Aug 2010, Shelby Moore wrote: >> It is for example a rather common way to continue a "session" that >> was begun with one HTTP client to complete it with a second one. > > I have no idea why you think a secure HTTPS client would want to open such a > security hole? Some features in softwre can be used as features for good purposes as well as bad purposes. The use-cases I've had and the ones my friends have mentioned to me have always been of the good kind, as I view them. Like logging in with a UI browser and then automating some manual and boring labour with an automated tool that can work in the same session. If it would be HTTPS, so be it. Of course, a browser could also just as well offer a "export cookies in plain text" even if it would encrypt them by default and then my "feature" could still be served. >> Do we really need to say that in a protocol spec? > > What is wrong with recommending what users assume is true for secure > websites? It was a question. I was looking for more arguments why a spec that documents a protocol over the wire should include recommendations on how to store data locally. >> You're apparently referring to 2nd para of sec 6.2. I'm personally fine >> with the wording and sentiment of the statements there. again WG would have >> to consider any changes. > > Above you wrote that you are only documenting the way the web is now. Now > you are saying it is ok to insist that browsers replace the set-cookie > function with one that will not work with existing websites. I agree with the current wording of the draft because I think the way cookies have currently been handled by APIs etc is a major contributors to the mess and problems we have with cookies today. But I don't think the exact wording of that section is terribly important as it is just a suggestion that again doesn't have any specific meaning for the actual protocol. >>> 4) 8.7. Reliance on DNS. If browsers properly implement per website >>> self-signed certificates: > >> We document the current protocol and practises here. That does not >> currently include "per website self-signed certificates". > > Why does Daniel Veditz of Mozilla/Firefox say it is a standard feature? > > https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c46 Handling of self-signed certificates is a standard feature of browsers. So you can be aware of possible MITM risks when you connect to a HTTPS site with such a cert. But it doesn't mean that cookies don't rely on DNS. First, many cookies are using HTTP and that protocol has no certificates. Then, most browsers allow you to accept the self-signed certificate (at least until HTTP Strict Transport Security isn't used) and then you get cookies while also relying on DNS. So, there's nothing in the cookie protocol that specificly is using or relying on certificates. There are the 'secure' cookies that expect and depend on a "secure" connection but I'm quite sure most browsers consider HTTPS secure even when the user has blindly accepted a self-signed certificate from a MITM (possibly after having been DNS-spoofed). Cookies as they work today have a few problems. We all know this. -- / daniel.haxx.se
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- [http-state] IETF-wide Last Call for -httpstate-c… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann
- Re: [http-state] IETF-wide Last Call for -httpsta… Adam Barth
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Peter Saint-Andre
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Adam Barth
- Re: [http-state] IETF-wide Last Call for -httpsta… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann