Re: [http-state] Welcome to http-state
"Blake Frantz" <bfrantz@cisecurity.org> Tue, 13 January 2009 17:34 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1ABD28C192; Tue, 13 Jan 2009 09:34:35 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FB3128C190 for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, WHOIS_NETSOLPR=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2h9dvQLcoHj for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:34:26 -0800 (PST)
Received: from Nexus.cisecurity.org (nexus.cisecurity.org [128.121.47.218]) by core3.amsl.com (Postfix) with ESMTP id 615993A67E2 for <http-state@ietf.org>; Tue, 13 Jan 2009 09:34:25 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 13 Jan 2009 12:33:55 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CE8@Nexus.cisecurity.lan>
In-Reply-To: <7789133a0901121655s264fb79bp49edec243e9c14af@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1GZ9JAjSSE2WXTcK4PHRkLzkcbQAgbYlQ
References: <49679299.6060703@corry.biz><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan><7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com><op.unn1bhjxqrq7tp@nimisha.oslo.opera.com><120206B6A348CA498C70E738A2E963514C0CDC@Nexus.cisecurity.lan><op.unn5yrxyqrq7tp@nimisha.oslo.opera.com> <7789133a0901121655s264fb79bp49edec243e9c14af@mail.gmail.com>
From: Blake Frantz <bfrantz@cisecurity.org>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
> -----Original Message----- > From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org] > On Behalf Of Adam Barth > Sent: Monday, January 12, 2009 4:55 PM > To: Discuss HTTP State Management Mechanism > Subject: Re: [http-state] Welcome to http-state ... > > We're asking for integrity against an active network attacker (imagine > someone who poisons DNS). The active network attacker can spoof an > HTTP server on port 443, i.e. http://www.bank.com:443/. When that > fake server responds with Set-Cookie2, it can cause the Port attribute > to be set to 443. If the user agent truly believes that evil.com is bank.com then all bets regarding cookie integrity are off - absent an HMAC or something equivalent. > > > The receiving server will not be able to detect if a compromised > secure > > server clobbered the cookie, but the $Origin field I am suggesting > should > > handle that as long as the receiving server itself hasn't been > compromised. > > Yes, the Origin attribute should fix the issue as long as it includes > the scheme (and not just the domain and port). > I agree with Adam and Yngve regarding the Origin attribute. The only things I would add are: 1. The user agent must not leverage information provided to it from the server when constructing the Origin value. 2. The user agent must not derive the scheme from the port number. Blake _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry