Re: [http-state] Security considerations overview

Tyler Close <tyler.close@gmail.com> Tue, 02 March 2010 22:38 UTC

Return-Path: <tyler.close@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C927B3A8CCC for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 14:38:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5nPaDmA7ibS for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 14:38:09 -0800 (PST)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id E492F3A8CBF for <http-state@ietf.org>; Tue, 2 Mar 2010 14:38:09 -0800 (PST)
Received: by pvg2 with SMTP id 2so253999pvg.31 for <http-state@ietf.org>; Tue, 02 Mar 2010 14:38:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=M5iCnuw5LUAdUk5ABLu2x6lGHnFS2Jm7Ileyx38icOA=; b=qpYeAV/I1OM2Zy4BhvutAV6k53iqRs1JoNgJ2MgnS0BCVKSRAXgn3u4lp3eVMIXqSw LN31kCDu5EHF9LrNuspngZKU/IgOwVUBynO5Rs7z0zHkImgqoO5rNGntlLHNYAVC5YHM s/Q2/sfn3WT3eZiLacwY/XOzZCFD9EuPdlTlQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cJ/4rylHeUxEq+dCCgKNdxJ1ajZjLbbSRPR3TKW+CNv+7Ut4415xq3sUu4Dul1Sv61 g79RJnwoeFywA16YptSG9c6nFHgHlHXLo/cHJDHGfHlyMihxorCFq/WA8Mj0RFOzfqFD VMSfFUT3h6Hd4JpVajYALOEc8YUzYAfRJR4pE=
MIME-Version: 1.0
Received: by 10.141.53.9 with SMTP id f9mr3658987rvk.210.1267569488487; Tue, 02 Mar 2010 14:38:08 -0800 (PST)
In-Reply-To: <5c4444771003021354o70faccache31b8a0d28005aeb@mail.gmail.com>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <Pine.LNX.4.64.1003021139330.4097@egate.xpasc.com> <5c4444771003021205t78c18f73t78913ae6ff3c70b1@mail.gmail.com> <Pine.LNX.4.64.1003021337130.21569@egate.xpasc.com> <5c4444771003021354o70faccache31b8a0d28005aeb@mail.gmail.com>
Date: Tue, 2 Mar 2010 14:38:08 -0800
Message-ID: <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com>
From: Tyler Close <tyler.close@gmail.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 22:38:11 -0000

On Tue, Mar 2, 2010 at 1:54 PM, Adam Barth <ietf@adambarth.com> wrote:
> On Tue, Mar 2, 2010 at 1:46 PM, David Morris <dwm@xpasc.com> wrote:
>> On Tue, 2 Mar 2010, Adam Barth wrote:
>>> On Tue, Mar 2, 2010 at 11:42 AM, David Morris <dwm@xpasc.com> wrote:
>>> > On Tue, 2 Mar 2010, Adam Barth wrote:
>>> >>         <t>Transport-layer encryption, such as HTTPS, is insufficient to
>>> >>         prevent a network attacker from altering a victim's cookies because
>>> >>         the cookie protocol does not provide integrity.  By default, cookies
>>> >>         are transmitted in the clear, where their confidentiality can be
>>> >>         compromised by a network attacker.</t>
>>> >
>>> > I don't under stand how the second sentence extends the thought in the
>>> > first sentence. It seems in conflict in the sense that HTTPS is not
>>> > sending cookies in the clear and use of HTTPS is generally recommended
>>> > as the way to avoid compromise by network hackers. What am I missing?
>>>
>>> If even if you use the cookie protocol exclusively over HTTPS, the
>>> default is still to send the cookies in the clear (i.e., the
>>> secure-only-flag defaults to false).
>>
>> But wrapped inside of the HTTPS stream, it is like the remainder of
>> everything about the HTTP request (including headers), sans any general
>> HTTPS vulnerabilities, not visible on the network to hackers.
>>
>> If you are trying to say that a cookie sent on an HTTPS connection from
>> a server will be returned on any non-HTTPS connections and hence be
>> vulnerable in that context, the paragraph doesn't say that. To me it
>> says that even if my WHOLE application is HTTPS based, the cookies
>> are vulnerable on the network.
>
> Even if your whole application is HTTPS-based, the cookies are
> vulnerabile to active network attackers.  That is a true statement,
> and precisely the security problem we're trying to point out in that
> sentence.  Maybe this is a better formulation?
>
> [[
>        In addition, by default,
>        the cookie protocol does not provide confidentiality from network
>        attackers.
> ]]

A reader could again misinterpret that formulation and so believe the
problem can be fixed by using HTTPS, which is incorrect.

I think this thread is a good indication that providing an "executive
summary" at the start of the Security section could be very effective
in communicating the rationale behind the prior recommendation against
using cookies in new applications. Succinct statements can sometimes
communicate better than detailed descriptions.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html