Re: [http-state] Security considerations overview

Adam Barth <ietf@adambarth.com> Thu, 04 March 2010 13:34 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6141328C107 for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 05:34:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vHu64Xn1qcm for <http-state@core3.amsl.com>; Thu, 4 Mar 2010 05:34:03 -0800 (PST)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id C183C28C103 for <http-state@ietf.org>; Thu, 4 Mar 2010 05:34:03 -0800 (PST)
Received: by pvg2 with SMTP id 2so919088pvg.31 for <http-state@ietf.org>; Thu, 04 Mar 2010 05:34:03 -0800 (PST)
Received: by 10.143.153.14 with SMTP id f14mr5342551wfo.255.1267709643176; Thu, 04 Mar 2010 05:34:03 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id 23sm520066pzk.6.2010.03.04.05.34.02 (version=SSLv3 cipher=RC4-MD5); Thu, 04 Mar 2010 05:34:03 -0800 (PST)
Received: by vws20 with SMTP id 20so1382757vws.31 for <http-state@ietf.org>; Thu, 04 Mar 2010 05:34:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.49.16 with SMTP id t16mr833006qaf.333.1267709638243; Thu, 04 Mar 2010 05:33:58 -0800 (PST)
In-Reply-To: <4B8F7591.6080509@securenet.de>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com> <5c4444771003021452g44538236ta855abcfe6d578da@mail.gmail.com> <Pine.LNX.4.64.1003021508100.21569@egate.xpasc.com> <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com> <D88C1747-4C28-43DB-9BBD-5EB951CCD471@apple.com> <5691356f1003021640n22c2dc49j7939a2f4d19d1868@mail.gmail.com> <58FE8180-6A66-44B2-90AB-33F6FFE79779@apple.com> <B9FD2591-8A5A-46CA-A1E7-323868B23CF1@apple.com> <4B8F7591.6080509@securenet.de>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 4 Mar 2010 05:33:38 -0800
Message-ID: <5c4444771003040533w32cb801ej9b16cee5775b667a@mail.gmail.com>
To: Achim Hoffmann <ah@securenet.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 13:34:04 -0000

On Thu, Mar 4, 2010 at 12:55 AM, Achim Hoffmann <ah@securenet.de> wrote:
> Mark Pauley wrote on 04.03.2010 00:38:
>> It would appear that this is covered by 4.1.2.2
>>
>> We (and many other browsers) do allow setting a cookie with domain .bar.example.com from .foo.example.com
>>
>> Indeed, some web applications rely on this behavior.  The compromise is that we'll allow .foo.example.com to set a cookie for .bar.example.com if and only if .example.com is not a Top Level (or registry controlled) Domain.
>
> outch.
> That's exactly why 7. Security Consideration writes:
>
>   Cookie protocol is NOT RECOMMENDED for (new) applications.
>
> (my personal opinion for *secure* applications would be: FORBIDDEN ;-)
> Achim

FWIW, that section doesn't say that anymore.

Adam