Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)

Daniel Stenberg <daniel@haxx.se> Fri, 16 April 2010 10:30 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B4B7B3A69F8 for <http-state@core3.amsl.com>; Fri, 16 Apr 2010 03:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.823
X-Spam-Level:
X-Spam-Status: No, score=-0.823 tagged_above=-999 required=5 tests=[AWL=-0.433, BAYES_20=-0.74, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8S6ChMtdMYnL for <http-state@core3.amsl.com>; Fri, 16 Apr 2010 03:30:03 -0700 (PDT)
Received: from giant.haxx.se (giant.haxx.se [83.168.254.42]) by core3.amsl.com (Postfix) with ESMTP id 522563A68A8 for <http-state@ietf.org>; Fri, 16 Apr 2010 03:30:03 -0700 (PDT)
Received: from giant.haxx.se (giant.haxx.se [83.168.254.42]) by giant.haxx.se (8.14.3/8.14.3/Debian-9) with ESMTP id o3GATniR029310; Fri, 16 Apr 2010 12:29:49 +0200
Date: Fri, 16 Apr 2010 12:29:49 +0200 (CEST)
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: Achim Hoffmann <ah@securenet.de>
In-Reply-To: <4BC837C8.80501@securenet.de>
Message-ID: <alpine.DEB.2.00.1004161224540.24000@tvnag.unkk.fr>
References: <5c4444771002151547k75bbd0e7rfd2ccf735bdb2e37@mail.gmail.com> <u2o5c4444771004110954tfbb069ddj6f80356bc4bd47d3@mail.gmail.com> <C779AE1F-EE2B-4D87-A3F1-C91A425E339D@apple.com> <z2m5c4444771004151615r10f95fen683406b64abff6fa@mail.gmail.com> <l2j5c4444771004151627i3cc43a37n9f3783e4be04458a@mail.gmail.com> <4BC837C8.80501@securenet.de>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 10:30:04 -0000

On Fri, 16 Apr 2010, Achim Hoffmann wrote:

> web applications which rely on the ordering somehow, are prone to some 
> attacks.

Sorry, but I must've missed that explanation. Where can we read up on the 
details of this claim?

> I'd recommend that the spec does not recommend the cookie ordering.

I strongly agree with this. It just seems that we're a minority and we can't 
get stuck on the sorting issue forever...

-- 

  / daniel.haxx.se