Re: [http-state] Ticket 6: host-only cookies
Blake Frantz <bfrantz@cisecurity.org> Mon, 01 February 2010 16:32 UTC
Return-Path: <bfrantz@cisecurity.org>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC8BC3A695E for <http-state@core3.amsl.com>; Mon, 1 Feb 2010 08:32:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd-Hc94VR+gh for <http-state@core3.amsl.com>; Mon, 1 Feb 2010 08:32:21 -0800 (PST)
Received: from smtp157.dfw.emailsrvr.com (smtp157.dfw.emailsrvr.com [67.192.241.157]) by core3.amsl.com (Postfix) with ESMTP id 277573A672E for <http-state@ietf.org>; Mon, 1 Feb 2010 08:32:21 -0800 (PST)
Received: from relay15.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay15.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 30DAD30B04E1; Mon, 1 Feb 2010 11:32:55 -0500 (EST)
Received: from smtp192.mex07a.mlsrvr.com (smtp192.mex07a.mlsrvr.com [67.192.133.192]) by relay15.relay.dfw.mlsrvr.com (SMTP Server) with ESMTPS id 19B2E30B02D6; Mon, 1 Feb 2010 11:32:54 -0500 (EST)
Received: from 34093-MBX-C03.mex07a.mlsrvr.com ([192.168.1.67]) by 222720-HUB07.mex07a.mlsrvr.com ([192.168.1.206]) with mapi; Mon, 1 Feb 2010 10:32:46 -0600
From: Blake Frantz <bfrantz@cisecurity.org>
To: Dan Winship <dan.winship@gmail.com>, Adam Barth <ietf@adambarth.com>
Date: Mon, 01 Feb 2010 10:32:42 -0600
Thread-Topic: [http-state] Ticket 6: host-only cookies
Thread-Index: AcqbcHjjyC+7JvC3T/WCHxIewvwEigH65L1A
Message-ID: <4C374A2653EB5E43AF886CE70DFC567213CE9BE2B4@34093-MBX-C03.mex07a.mlsrvr.com>
References: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com> <4B59B834.3030500@gmail.com>
In-Reply-To: <4B59B834.3030500@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 16:32:24 -0000
I support Dan's approach. B -----Original Message----- From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org] On Behalf Of Dan Winship Sent: Friday, January 22, 2010 6:38 AM To: Adam Barth Cc: http-state Subject: Re: [http-state] Ticket 6: host-only cookies On 01/22/2010 03:50 AM, Adam Barth wrote: > 1) Specify host-only cookies to match Firefox, Chrome, Safari, and > Opera. This is best for security, and I think there's a good chance > that IE will adopt host-only cookies in future, but I don't have any > citable evidence for this belief. (The draft currently matches this > proposal.) The other argument in favor of this is that the host-only cookie rule was part of the original Netscape spec, so this isn't just a case of unspecified behavior where some browsers do one thing and others do another, or of clients being-liberal-in-what-they-accept to work around server problems. IE is just doing it wrong. > 3) Allow both behaviors. This alternative is the worst for security > because it makes the cookie protocol less predictable. When all the > other browsers agree on a behavior that's better than the IE behavior, > I think we can require the non-IE behavior. Well... allowing both behaviors doesn't *make* the protocol less predictable, because the protocol already *is* less predictable, and will continue to be for several years at least, regardless of what we say. So we should document the unpredictability, so that server authors will know that they have to take steps to protect themselves against unintended cookie leakage in some cases. So my vote is, require clients to implement host-only cookies (as the Netscape spec did), but note in the corresponding server-side section that some clients don't do this, with some discussion of the security issues. -- Dan _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Daniel Stenberg
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Maciej Stachowiak
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Roy T. Fielding
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Eran Hammer-Lahav
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Julian Reschke
- Re: [http-state] Ticket 6: host-only cookies Dan Winship
- Re: [http-state] Ticket 6: host-only cookies Lisa Dusseault
- Re: [http-state] Ticket 6: host-only cookies Blake Frantz
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Dave Kristol
- Re: [http-state] Ticket 6: host-only cookies Adam Barth
- Re: [http-state] Ticket 6: host-only cookies Bil Corry
- Re: [http-state] Ticket 6: host-only cookies Mark Pauley