Re: [http-state] Security considerations overview
Maciej Stachowiak <mjs@apple.com> Wed, 03 March 2010 00:15 UTC
Return-Path: <mjs@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8AE83A8D02 for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 16:15:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.598
X-Spam-Level:
X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTOJi3sdrM7P for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 16:14:59 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 300823A7D1B for <http-state@ietf.org>; Tue, 2 Mar 2010 16:14:59 -0800 (PST)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out3.apple.com (Postfix) with ESMTP id A478A877061D for <http-state@ietf.org>; Tue, 2 Mar 2010 16:15:00 -0800 (PST)
X-AuditID: 1180711d-b7b18ae000001001-5a-4b8daa046959
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay13.apple.com (Apple SCV relay) with SMTP id 79.8B.04097.40AAD8B4; Tue, 2 Mar 2010 16:15:00 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_NwukQ+bAoXy+RQ8bWyoCow)"
Received: from [17.151.124.138] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KYO00JA4JD0TO40@et.apple.com> for http-state@ietf.org; Tue, 02 Mar 2010 16:15:00 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 02 Mar 2010 16:14:59 -0800
In-reply-to: <Pine.LNX.4.64.1003021547340.21569@egate.xpasc.com>
To: http-state <http-state@ietf.org>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <Pine.LNX.4.64.1003021139330.4097@egate.xpasc.com> <5c4444771003021205t78c18f73t78913ae6ff3c70b1@mail.gmail.com> <Pine.LNX.4.64.1003021337130.21569@egate.xpasc.com> <5c4444771003021354o70faccache31b8a0d28005aeb@mail.gmail.com> <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com> <5c4444771003021452g44538236ta855abcfe6d578da@mail.gmail.com> <Pine.LNX.4.64.1003021508100.21569@egate.xpasc.com> <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com> <Pine.LNX.4.64.1003021547340.21569@egate.xpasc.com>
Message-id: <3C55D07C-A335-41F7-B79F-0BBD3095F2F6@apple.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 00:15:04 -0000
On Mar 2, 2010, at 4:04 PM, David Morris wrote: > > > On Tue, 2 Mar 2010, Adam Barth wrote: >> >> The issue is quite simple: >> >> 1) In an HTTPS response, the example.com server responds with >> "Set-Cookie: foo=bar". By default (i.e., without the optional Secure >> attribute), this cookie does not have the secure-only-flag set. >> 2) The user agent makes a single HTTP request. > > That case was excluded by my earlier restriction to all HTTP. That kind of "all HTTP" restriction, at the UA level rather than the site level, is one that you can not count on in a browser or even in most kinds of site-specific UAs. >> 3) The network attacker spoofs an HTTP response that contains an HTTP >> redirect to http://example.com/. > > Only applies if there is an HTTP server on the same host. And it > requires > a vulnerable infrastructure at either end of the connection. Nope, you can spoof HTTP responses without the need for the targetHTTP server to really exist. All it requires is some vulnerable infrastructure somewhere. > > This also suggests some issues with HTTP redirect which have not been > discussed in my reading/listening. It potentially exposes more than > cookies to the sniffer of traffic. HTTP traffic, since it is sent in the clear, obviously provides neither confidentiality nor integrity. What is non-obvious is that cookies by default make some of this built-in vulnerability leak over to affect HTTPS. Regards, Maciej
- [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Tyler Close
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Maciej Stachowiak
- Re: [http-state] Security considerations overview Maciej Stachowiak
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview =JeffH
- Re: [http-state] Security considerations overview Tyler Close
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview Dan Witte
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth