Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
Achim Hoffmann <ah@securenet.de> Sun, 28 February 2010 12:09 UTC
Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A41F43A8A83 for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.951
X-Spam-Level:
X-Spam-Status: No, score=0.951 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_52=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1rbd9o5vwqE for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:09:06 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 791AA3A8A80 for <http-state@ietf.org>; Sun, 28 Feb 2010 04:09:03 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id 9049A27192 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:09:01 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 6DBAB140202A; Sun, 28 Feb 2010 13:09:01 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id 662D5140242E for <http-state@ietf.org>; Sun, 28 Feb 2010 13:09:00 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07504-10 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:09:00 +0100 (CET)
Received: from [172.16.18.33] (ah.vpn.securenet.de [172.16.18.33]) by oxee.securenet.de (Postfix) with ESMTP id 8F9151402425 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:08:59 +0100 (CET)
Message-ID: <4B8A5CDA.80401@securenet.de>
Date: Sun, 28 Feb 2010 13:08:58 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: http-state <http-state@ietf.org>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com> <4C374A2653EB5E43AF886CE70DFC567213CEF5CE46@34093-MBX-C03.mex07a.mlsrvr.com> <5c4444771002231929m3749c1c2g7903b444155dafa7@mail.gmail.com> <4B84DF96.7070709@gmx.de>
In-Reply-To: <4B84DF96.7070709@gmx.de>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2010 12:09:07 -0000
[someone] wrote on 24.02.2010 09:13: >> ... >>> The point of confusion for me in: >>> >>> "The cookie protocol is NOT RECOMMENDED for new applications" >>> I don't see any problem with this sentence, if you look at the title of this draft first. As httpstate-cookie-04.txt already covers most objects my late response are just my further explanations for the record. ---- Please apologies that this becomes a lengthy comment, but I try to summarize some of the previous comments (without quoting explicitly). Please remember that all my comments are made having "web application security" in mind. This means secure web applications and its data and secure access for users to them. The proper keywords, threats, weaknesses would be (without any order): session hijacking, session fixation, session lockout, privilege esacalation, CSRF, and some more ... IIRC it is not the focus of this draft to go into deeper explanations of them, so I just leave these things uncommented. As this draft is titled "HTTP State Management Mechanism" and not for example "HTTP user tracking gimmicks", the sentence "The cookie protocol is NOT RECOMMENDED ..." implies that the cookie protocol is meant for sessions. That's what is also described in the Abstract and Introduction section. This sentence is also in the "Security Considerations". So, there is nothing ambiguous when reading from top to bottom. Adam's changes strengthen this: > [[ > The cookie protocol has many > historical infelicities that degrade its security and privacy. > ]] > > How do folks feel about this related statement in Security Considerations: > > [[ > <t>For applications that use the cookie protocol, servers SHOULD > NOT rely upon cookies for security.</t> > ]] > Accoding some other objections: > My basic point, which reiterates what others have experessed, is that we > can't forbid usage for which you don't have a better proposed alternative. Just because developers are unwilling (I'm not saying unable:) to use/implement other mechanism, does not mean that they don't exist. Here are the well-known alternatives (all defined back in the 90s last centuty;-): * Authentication protocol (manly Digest) * URL parameters * URL rewriting * form-based variables (aka hidden fields) and if high security counts: a combination of at least two of the above. We see that there're at least 3 HTTP and one HTML alternative (where the last HTML method results in HTTP again). Means that they may be mentioned as they are about HTTP too. All these mechanisms (including cookies, which we're talking about) have their own pros and cons, I won't explain them here for now, but can provide a comprehensive comparsion of them. Some are covered in httpstate-cookie-04.txt now. If this draft states "cookie protocol is NOT RECOMENDED for sessions (due to various security ambiguities)" then develpers, application architects and decision-makers are hopefully reminded to think about better alternatives. This would also encourage other organisations (PCI, OWASP, ...) to refer to such a recomendation and then give practical suggestions and directives. Let's make the wild wide web more secure. > Security is about risk management and is never absolute. Disagreed. Security is also about threats, weakness, vulnerabilities, attacks. If you combine these (for example in a formular) and map it to your impacts (the real and theoretical ones) then you get a risk. I'll stop here about the definitions, as it is off-topic here ... > .. a SHOULD NOT statement is probabaly excessive. Hmm, I'd say this statement gets up the nerv to tell people the real security implications with the usage of the current cookie protocol ;-) Hopefully above explains why such a sentence is important for security. Achim
- [http-state] Whether to recommend the cookie prot… Adam Barth
- Re: [http-state] Whether to recommend the cookie … Blake Frantz
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Julian Reschke
- Re: [http-state] Whether to recommend the cookie … Maciej Stachowiak
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Achim Hoffmann