Re: [http-state] Ticket 6: host-only cookies

Blake Frantz <bfrantz@cisecurity.org> Mon, 01 February 2010 16:32 UTC

Return-Path: <bfrantz@cisecurity.org>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC8BC3A695E for <http-state@core3.amsl.com>; Mon, 1 Feb 2010 08:32:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd-Hc94VR+gh for <http-state@core3.amsl.com>; Mon, 1 Feb 2010 08:32:21 -0800 (PST)
Received: from smtp157.dfw.emailsrvr.com (smtp157.dfw.emailsrvr.com [67.192.241.157]) by core3.amsl.com (Postfix) with ESMTP id 277573A672E for <http-state@ietf.org>; Mon, 1 Feb 2010 08:32:21 -0800 (PST)
Received: from relay15.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay15.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 30DAD30B04E1; Mon, 1 Feb 2010 11:32:55 -0500 (EST)
Received: from smtp192.mex07a.mlsrvr.com (smtp192.mex07a.mlsrvr.com [67.192.133.192]) by relay15.relay.dfw.mlsrvr.com (SMTP Server) with ESMTPS id 19B2E30B02D6; Mon, 1 Feb 2010 11:32:54 -0500 (EST)
Received: from 34093-MBX-C03.mex07a.mlsrvr.com ([192.168.1.67]) by 222720-HUB07.mex07a.mlsrvr.com ([192.168.1.206]) with mapi; Mon, 1 Feb 2010 10:32:46 -0600
From: Blake Frantz <bfrantz@cisecurity.org>
To: Dan Winship <dan.winship@gmail.com>, Adam Barth <ietf@adambarth.com>
Date: Mon, 01 Feb 2010 10:32:42 -0600
Thread-Topic: [http-state] Ticket 6: host-only cookies
Thread-Index: AcqbcHjjyC+7JvC3T/WCHxIewvwEigH65L1A
Message-ID: <4C374A2653EB5E43AF886CE70DFC567213CE9BE2B4@34093-MBX-C03.mex07a.mlsrvr.com>
References: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com> <4B59B834.3030500@gmail.com>
In-Reply-To: <4B59B834.3030500@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 16:32:24 -0000

I support Dan's approach.

B
-----Original Message-----
From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org] On Behalf Of Dan Winship
Sent: Friday, January 22, 2010 6:38 AM
To: Adam Barth
Cc: http-state
Subject: Re: [http-state] Ticket 6: host-only cookies

On 01/22/2010 03:50 AM, Adam Barth wrote:
> 1) Specify host-only cookies to match Firefox, Chrome, Safari, and
> Opera.  This is best for security, and I think there's a good chance
> that IE will adopt host-only cookies in future, but I don't have any
> citable evidence for this belief.  (The draft currently matches this
> proposal.)

The other argument in favor of this is that the host-only cookie rule
was part of the original Netscape spec, so this isn't just a case of
unspecified behavior where some browsers do one thing and others do
another, or of clients being-liberal-in-what-they-accept to work around
server problems. IE is just doing it wrong.

> 3) Allow both behaviors.  This alternative is the worst for security
> because it makes the cookie protocol less predictable.  When all the
> other browsers agree on a behavior that's better than the IE behavior,
> I think we can require the non-IE behavior.

Well... allowing both behaviors doesn't *make* the protocol less
predictable, because the protocol already *is* less predictable, and
will continue to be for several years at least, regardless of what we
say. So we should document the unpredictability, so that server authors
will know that they have to take steps to protect themselves against
unintended cookie leakage in some cases.

So my vote is, require clients to implement host-only cookies (as the
Netscape spec did), but note in the corresponding server-side section
that some clients don't do this, with some discussion of the security
issues.

-- Dan
_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state