Re: [http-state] Welcome to http-state

"Blake Frantz" <> Mon, 12 January 2009 22:58 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 328B53A67C0; Mon, 12 Jan 2009 14:58:56 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id EFB623A67C0 for <>; Mon, 12 Jan 2009 14:58:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h1QosRxaKBhB for <>; Mon, 12 Jan 2009 14:58:54 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DCD263A63D2 for <>; Mon, 12 Jan 2009 14:58:53 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 Jan 2009 17:58:32 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan>
In-Reply-To: <>
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1ARjuFlBNg88aRmCRzYakI5SRgwAALsgg
References: <><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <>
From: Blake Frantz <>
To: Discuss HTTP State Management Mechanism <>
Subject: Re: [http-state] Welcome to http-state
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <>
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

> The attacker can still disrupt the integrity of the Secure cookie by
> first causing the cookie to be evicted and then creating a new,
> non-Secure cookie with the same name.  This has the same effect as
> overwriting the Secure cookie.

If the user agent treated two otherwise equal cookies from disparate
schemes distinctly then the attacker must control content in the HTTPS
scheme to impact the integrity of the Secure cookie. This assumes that
the Secure cookie was set over HTTPS - which I think is safe. From what
I've read in section 6.2 of the paper you've referenced, the attacker
requirements to compromise the integrity of the Secure cookie are
equivalent with the approach I'm seeking feedback on. Those requirements
being control of content rendered in the HTTPS scheme.

> An alternate way to protect the integrity of Secure cookies is to add
> a "Cookie-Integrity" header that lists the cookies set over HTTPS, as
> described in 6.2 of

Nice work. In support of this, it *may* be beneficial to modify existing
XHR mechanisms such that they prevent the programmatic creation of a
Cookie-Integrity header (
I haven't thought through this entirely, though. 

> The Cookie-Integrity header has two advantages over altering the
> semantics of Set-Cookie:
> 1) It is backwards compatible with existing servers who might
> legitimately overwrite Secure cookies over HTTPS (for example, during
> "logout").

The cross scheme clobber prevention I'm attempting to get feedback on
does not break this use case.

My take away from this is that you see a need to protect the integrity
of Secure cookies, where possible. I agree with this. I'm not convinced
that treating cross-scheme cookies distinctly or adding Cookie-Integrity
header is or is not the solution to the problem. For the purpose of this
group, I think we may have identified another bullet item in the list of
things to accomplish - figure out the best way to protect the integrity
of Secure cookies.


http-state mailing list