IETF Logo Mail Archive

Re: [http-state] cake and session stealing

"Thomson, Martin" <Martin.Thomson@andrew.com> Tue, 27 July 2010 08:58 UTC

Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2ABCD3A686B for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 01:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.205
X-Spam-Level:
X-Spam-Status: No, score=-3.205 tagged_above=-999 required=5 tests=[AWL=-0.606, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwEiyrb+jRqE for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 01:58:50 -0700 (PDT)
Received: from csmailgw1.commscope.com (csmailgw1.commscope.com [198.135.207.244]) by core3.amsl.com (Postfix) with ESMTP id 0305F3A6A98 for <http-state@ietf.org>; Tue, 27 Jul 2010 01:58:50 -0700 (PDT)
Received: from [10.86.20.102] ([10.86.20.102]:27426 "EHLO ACDCE7HC1.commscope.com") by csmailgw1.commscope.com with ESMTP id S28710353Ab0G0I7L (ORCPT <rfc822; http-state@ietf.org>); Tue, 27 Jul 2010 03:59:11 -0500
Received: from SISPE7HC2.commscope.com (10.97.4.13) by ACDCE7HC1.commscope.com (10.86.20.102) with Microsoft SMTP Server (TLS) id 8.1.436.0; Tue, 27 Jul 2010 03:59:11 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC2.commscope.com ([fe80::58c3:2447:f977:57c3%10]) with mapi; Tue, 27 Jul 2010 16:59:08 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Adam Barth <ietf@adambarth.com>
Date: Tue, 27 Jul 2010 17:01:20 +0800
Thread-Topic: cake and session stealing
Thread-Index: AcstZ47wkSCeySoJSSmQ72uqyvec+QAAJaRg
Message-ID: <8B0A9FCBB9832F43971E38010638454F03EB77374D@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03EB773659@SISPE7MB1.commscope.com> <AANLkTi=2y+EDtyer3vn-eX8j-ao0U9jGnS-PDirqSojB@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB773720@SISPE7MB1.commscope.com> <AANLkTikB-Xn-t-_0pHoY+9eWZueAUyXLfnd5cF=mJO9G@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB77373E@SISPE7MB1.commscope.com> <AANLkTimEMK2O5ZMR1HR3gRTX6H8bwmifKVQ4FvPQxotu@mail.gmail.com>
In-Reply-To: <AANLkTimEMK2O5ZMR1HR3gRTX6H8bwmifKVQ4FvPQxotu@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw1.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] cake and session stealing
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 08:58:52 -0000

 
> There's a separate cake for every origin.  In particular, there's a
> separate cake for http://bank.com and https://bank.com.  There is no
> way for the attacker to learn or overwrite the cake for
> https://bank.com.  That means whatever stateful interaction the user
> has with the server on https://bank.com is protected from the
> attacker.

When you talked about this in the meeting, you talked about the step from unsecured http to TLS secured http.  I guess I misunderstood what you were trying to achieve.

> > The only solution I see to this is to treat anything that comes in on
> an unsecured connection as suspect.  Online shopping services do this -
> you build a cart, but they confirm again on the secured part (sometimes
> several times).
> 
> If a site uses http, there's nothing we can do to protect them from a
> MITM attacker.  We're interested in protecting https sites from MITM
> attackers.

OK, I'm still trying to come to terms with the problem that you are solving.  The problem is that you are looking for a way to have session state that is not subject to the fragility of cookies.  A server wants to be able to correlate requests from the same client because the _server_ is storing state.

That doesn't scale particularly well, which was Mark's comment.  

Here's another idea: hide the state in URIs.  Rely on the fact that the URIs are only seen by the one client.  No protocol changes there.

--Martin

BTW, cake provides less capability than a cookie.  (That's not necessarily a bad thing.)  It's more of a wafer or water cracker.

v2.23.0 | Report a Bug | By Email