Re: [http-state] Seeking feedback on Security Considerations

Dan Winship <> Sat, 13 February 2010 14:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 55C6E28C14A for <>; Sat, 13 Feb 2010 06:37:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.152
X-Spam-Status: No, score=-3.152 tagged_above=-999 required=5 tests=[AWL=-0.887, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xhfwd7TvHWf3 for <>; Sat, 13 Feb 2010 06:37:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 89C7028C14D for <>; Sat, 13 Feb 2010 06:37:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPA id F0FF6802AE; Sat, 13 Feb 2010 09:39:12 -0500 (EST)
Message-ID: <>
Date: Sat, 13 Feb 2010 09:39:10 -0500
From: Dan Winship <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20100120 Fedora/3.0.1-1.fc12 Thunderbird/3.0.1
MIME-Version: 1.0
To: Adam Barth <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: http-state <>
Subject: Re: [http-state] Seeking feedback on Security Considerations
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Feb 2010 14:37:51 -0000

On 02/13/2010 03:01 AM, Adam Barth wrote:
> 7.3.  Clear Text

>    In addition to encrypting and signing the contents of every cookie,
>    servers that require a higher level of security SHOULD use the cookie
>    protocol only over a secure channel.

Should probably mention the problem of having to explicitly set the
"Secure" flag too.

> 7.4.  Weak Confidentiality

>    Cookies do not provide isolation by port. 
>    Cookies do not provide isolation by scheme.

Also path.

>    Although most commonly
>    used with the http and https schemes, the cookies for a given host
>    are also available to other schemes, such as ftp and gopher.

Do we know that this is consistent across browsers? Should have some
tests for that. If it's not, we can just change "are also available" to
"may also be available" though.

>    This
>    lack of isolation is most easily seen when a user agent retrieves a
>    URI with a gopher scheme via HTTP, but the lack of isolation by
>    scheme is also apparent via non-HTTP APIs that permit access to
>    cookies, such as HTML's document.cookie API.

I think retrieving an HTML+javascript page via ftp is about a zillion
times more "easily seen" than anything involving gopher. :)

-- Dan