Re: [http-state] Welcome to http-state
"Adam Barth" <ietf@adambarth.com> Mon, 12 January 2009 22:48 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EF113A67E4; Mon, 12 Jan 2009 14:48:48 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49CE33A67E4 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ea63E2JC1tgN for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:48:46 -0800 (PST)
Received: from mail-ew0-f17.google.com (mail-ew0-f17.google.com [209.85.219.17]) by core3.amsl.com (Postfix) with ESMTP id 68CC83A67C0 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:48:46 -0800 (PST)
Received: by ewy10 with SMTP id 10so11770337ewy.13 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:48:30 -0800 (PST)
Received: by 10.210.120.17 with SMTP id s17mr34793936ebc.54.1231800510519; Mon, 12 Jan 2009 14:48:30 -0800 (PST)
Received: by 10.210.18.3 with HTTP; Mon, 12 Jan 2009 14:48:30 -0800 (PST)
Message-ID: <7789133a0901121448v70dcfc09q11adfbe5af9a7294@mail.gmail.com>
Date: Mon, 12 Jan 2009 14:48:30 -0800
From: Adam Barth <ietf@adambarth.com>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
In-Reply-To: <op.unn1bhjxqrq7tp@nimisha.oslo.opera.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com> <op.unn1bhjxqrq7tp@nimisha.oslo.opera.com>
X-Google-Sender-Auth: 38579e68fc71eefa
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
On Mon, Jan 12, 2009 at 2:41 PM, Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com> wrote: > Please note that RFC2965 already have such integrity checking through the > $Domain, $Path and $Port attributes. Cool! > It might be that $Secure should be added as well, but using Port="443" > should already take care of that rather nicely. Why is that? It seems like an active network attack (which is the kind of attacker we're trying to stop) can just fake an HTTP server on port 443 and spoof that attribute. > Also, my cookie-v2 draft suggest always sending the $Domain&Co parameters to > allow servers to verify the domain of a cookie, and a $Origin attribute for > v0 and v1 cookies to permit the receiver to know who set the cookie. If you can tolerate the bandwidth, sending the ASCII serialization of the origin (including the scheme) is a great idea. Adam _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry