Re: [http-state] Welcome to http-state
"Blake Frantz" <bfrantz@cisecurity.org> Mon, 12 January 2009 22:58 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 328B53A67C0; Mon, 12 Jan 2009 14:58:56 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFB623A67C0 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:58:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1QosRxaKBhB for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:58:54 -0800 (PST)
Received: from Nexus.cisecurity.org (nexus.cisecurity.org [128.121.47.218]) by core3.amsl.com (Postfix) with ESMTP id DCD263A63D2 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:58:53 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 Jan 2009 17:58:32 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan>
In-Reply-To: <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1ARjuFlBNg88aRmCRzYakI5SRgwAALsgg
References: <49679299.6060703@corry.biz><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
From: Blake Frantz <bfrantz@cisecurity.org>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
> The attacker can still disrupt the integrity of the Secure cookie by > first causing the cookie to be evicted and then creating a new, > non-Secure cookie with the same name. This has the same effect as > overwriting the Secure cookie. If the user agent treated two otherwise equal cookies from disparate schemes distinctly then the attacker must control content in the HTTPS scheme to impact the integrity of the Secure cookie. This assumes that the Secure cookie was set over HTTPS - which I think is safe. From what I've read in section 6.2 of the paper you've referenced, the attacker requirements to compromise the integrity of the Secure cookie are equivalent with the approach I'm seeking feedback on. Those requirements being control of content rendered in the HTTPS scheme. > An alternate way to protect the integrity of Secure cookies is to add > a "Cookie-Integrity" header that lists the cookies set over HTTPS, as > described in 6.2 of > http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf Nice work. In support of this, it *may* be beneficial to modify existing XHR mechanisms such that they prevent the programmatic creation of a Cookie-Integrity header (http://www.w3.org/TR/XMLHttpRequest/#security). I haven't thought through this entirely, though. > The Cookie-Integrity header has two advantages over altering the > semantics of Set-Cookie: > > 1) It is backwards compatible with existing servers who might > legitimately overwrite Secure cookies over HTTPS (for example, during > "logout"). The cross scheme clobber prevention I'm attempting to get feedback on does not break this use case. My take away from this is that you see a need to protect the integrity of Secure cookies, where possible. I agree with this. I'm not convinced that treating cross-scheme cookies distinctly or adding Cookie-Integrity header is or is not the solution to the problem. For the purpose of this group, I think we may have identified another bullet item in the list of things to accomplish - figure out the best way to protect the integrity of Secure cookies. Blake _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry