IETF Logo Mail Archive

Re: [http-state] cake and session stealing

"Thomson, Martin" <Martin.Thomson@andrew.com> Tue, 27 July 2010 07:10 UTC

Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4F983A67A2 for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 00:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.241
X-Spam-Level:
X-Spam-Status: No, score=-3.241 tagged_above=-999 required=5 tests=[AWL=-0.642, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxZR86v8CPI5 for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 00:10:47 -0700 (PDT)
Received: from csmailgw2.commscope.com (csmailgw2.commscope.com [198.135.207.242]) by core3.amsl.com (Postfix) with ESMTP id 0B7813A69EA for <http-state@ietf.org>; Tue, 27 Jul 2010 00:10:47 -0700 (PDT)
Received: from [10.86.20.103] ([10.86.20.103]:53416 "EHLO ACDCE7HC2.commscope.com") by csmailgw2.commscope.com with ESMTP id S343545Ab0G0HLI (ORCPT <rfc822; http-state@ietf.org>); Tue, 27 Jul 2010 02:11:08 -0500
Received: from SISPE7HC2.commscope.com (10.97.4.13) by ACDCE7HC2.commscope.com (10.86.20.103) with Microsoft SMTP Server (TLS) id 8.1.436.0; Tue, 27 Jul 2010 02:11:08 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC2.commscope.com ([fe80::58c3:2447:f977:57c3%10]) with mapi; Tue, 27 Jul 2010 15:11:07 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Adam Barth <ietf@adambarth.com>
Date: Tue, 27 Jul 2010 15:13:15 +0800
Thread-Topic: cake and session stealing
Thread-Index: AcstCRUd7uoKhBI9ShaMcKfiLYVyiwAUXFvg
Message-ID: <8B0A9FCBB9832F43971E38010638454F03EB773720@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03EB773659@SISPE7MB1.commscope.com> <AANLkTi=2y+EDtyer3vn-eX8j-ao0U9jGnS-PDirqSojB@mail.gmail.com>
In-Reply-To: <AANLkTi=2y+EDtyer3vn-eX8j-ao0U9jGnS-PDirqSojB@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-puzzleid: {60D383B3-9A3D-4D55-BC4E-7B0CE2F85EC1}
x-cr-hashedpuzzle: AVMR Auu3 BwIH HC0F KyG/ MnWV MpPx M2dm NxjQ Ogv8 SOTV TiL7 UdZu VYpq WDB+ WRR1; 2; aAB0AHQAcAAtAHMAdABhAHQAZQBAAGkAZQB0AGYALgBvAHIAZwA7AGkAZQB0AGYAQABhAGQAYQBtAGIAYQByAHQAaAAuAGMAbwBtAA==; Sosha1_v1; 7; {60D383B3-9A3D-4D55-BC4E-7B0CE2F85EC1}; bQBhAHIAdABpAG4ALgB0AGgAbwBtAHMAbwBuAEAAYQBuAGQAcgBlAHcALgBjAG8AbQA=; Tue, 27 Jul 2010 07:13:15 GMT; UgBFADoAIABjAGEAawBlACAAYQBuAGQAIABzAGUAcwBzAGkAbwBuACAAcwB0AGUAYQBsAGkAbgBnAA==
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw2.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] cake and session stealing
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 07:10:48 -0000

> > An attacker that can control where you go (the URL) can equally
> control what cookies you get.  What am I missing here?
> 
> Cake is never sent from the server to the client.  It's only ever sent
> from the client to the server, and then only over TLS.  An active
> network attacker cannot interact with the cake for HTTPS.  (Of course,
> he can steal the HTTP cake, but there's no way to defend HTTP from
> network attackers anyway.)

That's where my concern arose.  An attacker that is playing MITM can simply use their own cake.  Are we basically looking for something with basically "leap of faith" characteristics?

I suppose that it is an advantage that the attacker needs to arrange for an attack by playing MITM for all requests, which requires a degree more premeditation.  I'm not convinced that it's significantly better than the mechanisms we already have.

--Martin

v2.23.0 | Report a Bug | By Email