Re: [http-state] Security considerations overview

David Morris <dwm@xpasc.com> Tue, 02 March 2010 19:42 UTC

Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09FB03A8C63 for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 11:42:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2OrkgZtoSLJ for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 11:42:36 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by core3.amsl.com (Postfix) with ESMTP id 82ACA3A8AF6 for <http-state@ietf.org>; Tue, 2 Mar 2010 11:42:36 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id EE1F8101851 for <http-state@ietf.org>; Tue, 2 Mar 2010 11:42:36 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ura32jGA0; Tue, 02 Mar 2010 11:42:36 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id C6D13101850 for <http-state@ietf.org>; Tue, 2 Mar 2010 11:42:36 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id o22JgZWu013261 for <http-state@ietf.org>; Tue, 2 Mar 2010 11:42:35 -0800
Date: Tue, 2 Mar 2010 11:42:35 -0800 (PST)
From: David Morris <dwm@xpasc.com>
To: http-state <http-state@ietf.org>
In-Reply-To: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1003021139330.4097@egate.xpasc.com>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Propel-ID: iz6Ura32jGA0
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 19:42:38 -0000

On Tue, 2 Mar 2010, Adam Barth wrote:

>         <t>Transport-layer encryption, such as HTTPS, is insufficient to
>         prevent a network attacker from altering a victim's cookies because
>         the cookie protocol does not provide integrity.  By default, cookies
>         are transmitted in the clear, where their confidentiality can be
>         compromised by a network attacker.</t>

I don't under stand how the second sentence extends the thought in the 
first sentence. It seems in conflict in the sense that HTTPS is not
sending cookies in the clear and use of HTTPS is generally recommended
as the way to avoid compromise by network hackers. What am I missing?