Re: [http-state] Security considerations overview

Achim Hoffmann <ah@securenet.de> Thu, 04 March 2010 08:55 UTC

Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 049E23A7AC6 for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 00:55:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.452
X-Spam-Level:
X-Spam-Status: No, score=-1.452 tagged_above=-999 required=5 tests=[AWL=0.797, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhwIJprpJX8A for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 00:55:47 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id F26833A77D0 for <http-state@ietf.org>; Thu, 4 Mar 2010 00:55:46 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id F246727192 for <http-state@ietf.org>; Thu, 4 Mar 2010 09:55:47 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id DE1BD1402027; Thu, 4 Mar 2010 09:55:47 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id 7A1D81402024; Thu, 4 Mar 2010 09:55:47 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06935-03; Thu, 4 Mar 2010 09:55:47 +0100 (CET)
Received: from [10.30.18.9] (krakatau.securenet.de [10.30.18.9]) by oxee.securenet.de (Postfix) with ESMTP id 69F491402425; Thu, 4 Mar 2010 09:55:47 +0100 (CET)
Message-ID: <4B8F7591.6080509@securenet.de>
Date: Thu, 04 Mar 2010 09:55:45 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Mark Pauley <mpauley@apple.com>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <Pine.LNX.4.64.1003021139330.4097@egate.xpasc.com> <5c4444771003021205t78c18f73t78913ae6ff3c70b1@mail.gmail.com> <Pine.LNX.4.64.1003021337130.21569@egate.xpasc.com> <5c4444771003021354o70faccache31b8a0d28005aeb@mail.gmail.com> <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com> <5c4444771003021452g44538236ta855abcfe6d578da@mail.gmail.com> <Pine.LNX.4.64.1003021508100.21569@egate.xpasc.com> <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com> <D88C1747-4C28-43DB-9BBD-5EB951CCD471@apple.com> <5691356f1003021640n22c2dc49j7939a2f4d19d1868@mail.gmail.com> <58FE8180-6A66-44B2-90AB-33F6FFE79779@apple.com> <B9FD2591-8A5A-46CA-A1E7-323868B23CF1@apple.com>
In-Reply-To: <B9FD2591-8A5A-46CA-A1E7-323868B23CF1@apple.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 08:55:48 -0000

Mark Pauley wrote on 04.03.2010 00:38:
> It would appear that this is covered by 4.1.2.2
> 
> We (and many other browsers) do allow setting a cookie with domain .bar.example.com from .foo.example.com
> 
> Indeed, some web applications rely on this behavior.  The compromise is that we'll allow .foo.example.com to set a cookie for .bar.example.com if and only if .example.com is not a Top Level (or registry controlled) Domain.

outch.
That's exactly why 7. Security Consideration writes:

   Cookie protocol is NOT RECOMMENDED for (new) applications.

(my personal opinion for *secure* applications would be: FORBIDDEN ;-)
Achim