Re: [http-state] Ticket 3: Public Suffixes
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sat, 16 January 2010 11:40 UTC
Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DCD03A694A for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 03:40:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kO6dXyz3TTCL for <http-state@core3.amsl.com>; Sat, 16 Jan 2010 03:40:08 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 595323A67FC for <http-state@ietf.org>; Sat, 16 Jan 2010 03:40:08 -0800 (PST)
Received: from acorna.invalid.invalid (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5) with ESMTP id o0GBapDQ004301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 16 Jan 2010 11:36:54 GMT
Date: Sat, 16 Jan 2010 12:39:54 +0100
To: Adam Barth <ietf@adambarth.com>, http-state <http-state@ietf.org>
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Content-Type: text/plain; format="flowed"; delsp="yes"; charset="iso-8859-15"
MIME-Version: 1.0
References: <7789133a1001160001h62d203b3w76e175ec22d55e6@mail.gmail.com>
Content-Transfer-Encoding: 8bit
Message-ID: <op.u6mioszyqrq7tp@acorna.invalid.invalid>
In-Reply-To: <7789133a1001160001h62d203b3w76e175ec22d55e6@mail.gmail.com>
User-Agent: Opera Mail/9.65 (Win32)
Subject: Re: [http-state] Ticket 3: Public Suffixes
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2010 11:40:10 -0000
Comments below: On Sat, 16 Jan 2010 09:01:00 +0100, Adam Barth <ietf@adambarth.com> wrote: > I'd like to start discussing the issues in the tracker. Hopefully > we'll be able to resolve them and make progress on the draft. > > The first issue I'd like to discuss is what to do with public suffixes: > http://trac.tools.ietf.org/wg/httpstate/trac/ticket/3 > > I'm not setting any particular deadline to responding to this > proposal, but hopefully we can sort something out relatively soon and > then move on to the next issue. > > == Overview == > > When a server sets a cookie, the server tells the user agent which > domains the cookie is for. The protocol restricts the server to > specifying a suffix of its own host name. For example, if the server > is foo.example.com, the server can set a cookie for foo.example.com, > example.com, or com. > > This behavior turns out to be a security problem because when > attacker.com sets a cookie for com, that cookie is sent to example.com > and can confusing the example.com server. This attack technique has > had a number of names of the years, but I'm going to call it "cookie > forcing" in this discussion. > > Cookie forcing arises because of two design flaws in the cookie > protocol: (1) servers are allowed to set cookies for superdomains and > (2) when receiving a cookie, a server cannot determine the scope of > the cookie. Unfortunately, fixing these underlying issues is out of > scope for our present work (although cookie2 has some interesting > ideas in this regard). > > What user agents actually do is slightly data-intensive. Essentially, > each user agent has a list of so-called public suffixes (or "registry > controlled" domains). The user agent then refuses to accept cookies > whose scope is a public suffix. For example, user agents will not > accept cookies for "com" or for "co.uk". See, for example, > <http://publicsuffix.org/>, which is the list used by Mozilla and some > other open-source browsers. Microsoft has it's own list for IE, which > I don't believe is publicly available. These lists are somewhat long > and dynamic because there are a lot of domain registries in the world > and the rules are different in every province of Japan. > > == Proposal == > > I propose that the spec contain a description of the vulnerability and > recommend at the SHOULD level that user agents drop cookies set for > public suffixes. > > == Alternatives == > > One alternative is to require that all user agents use a specific > well-known public suffix list. The problem with this approach is that > the list evolves with time and tracking the list is some amount of > effort. Not all user agents will want to update when the list > updates. These user agents will need to make a risk management > decision about how to approximate the list based on their security and > compatibility needs. > > Another alternative is to recommend a heuristic that works in many > cases and then further recommend that user agents use the full list. > The problem with this approach is that I don't know of any simple > heuristics that provide reasonable behavior. In the past, some user > agents have used heuristics based on the length of the top-level > domain (i.e., two characters => ccTLD => foo.cc is a public suffix). > Unfortunately, this heuristic has undesirable consequences for some > small countries that let folks register domains directly in the ccTLD. > > A third alternative is to ignore the issue entirely, but this approach > would be a disservice to folks who need to write secure user agents. Alternative 4: Use a DNS based heuristic by only allowing cookies set to domains that have an IP address defined. If there is no IP address, remove the domain attribute See my draft describing Opera's implementation: http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-05.txt Alternative 5: (which require an extensive change of the cookie specification) Reverse the domain semantics. Do not allow a site to set cookies for a parent domain, only the server itself or its subdomain any host with the server's name as the suffix (that is, example.com can set cookies either for the server example.com or the entire domain example.com; www.example.com cannot set a cookie for the domain example.com) See the following for my suggestion (the draft is currently expired) http://files.myopera.com/yngve/blog/draft-pettersen-cookie-v2-03.txt Regarding public suffix, see my proposal http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-05.txt and Opera's upcoming system public suffix system (which is already live): http://my.opera.com/yngve/blog/2009/06/17/refreshed-subtld-public-suffix-drafts http://my.opera.com/rootstore/blog/2009/06/17/swisssign-ev-enabled-and-a-public-suffix-list And my older articles about the topic http://my.opera.com/yngve/blog/show.dml/267415 http://my.opera.com/yngve/blog/show.dml/388840 -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes Daniel Stenberg
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Ticket 3: Public Suffixes corvid
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Adam Barth
- Re: [http-state] Ticket 3: Public Suffixes Yngve N. Pettersen (Developer Opera Software ASA)
- [http-state] Meeting in Anaheim? David Morris
- Re: [http-state] Meeting in Anaheim? Bil Corry