IETF Logo Mail Archive

Re: [http-state] cake and session stealing

Adam Barth <ietf@adambarth.com> Tue, 27 July 2010 09:08 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7175C3A6A6E for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 02:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.732
X-Spam-Level:
X-Spam-Status: No, score=-1.732 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guP5KVs3GeU6 for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 02:08:50 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 6CAC93A6A14 for <http-state@ietf.org>; Tue, 27 Jul 2010 02:08:50 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3840283iwn.31 for <http-state@ietf.org>; Tue, 27 Jul 2010 02:09:12 -0700 (PDT)
Received: by 10.231.185.142 with SMTP id co14mr9032250ibb.97.1280221751905; Tue, 27 Jul 2010 02:09:11 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r3sm4633440ibk.7.2010.07.27.02.09.10 (version=SSLv3 cipher=RC4-MD5); Tue, 27 Jul 2010 02:09:11 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3840254iwn.31 for <http-state@ietf.org>; Tue, 27 Jul 2010 02:09:10 -0700 (PDT)
Received: by 10.231.183.81 with SMTP id cf17mr7416188ibb.32.1280221750340; Tue, 27 Jul 2010 02:09:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.79.85 with HTTP; Tue, 27 Jul 2010 02:08:50 -0700 (PDT)
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03EB77374D@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03EB773659@SISPE7MB1.commscope.com> <AANLkTi=2y+EDtyer3vn-eX8j-ao0U9jGnS-PDirqSojB@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB773720@SISPE7MB1.commscope.com> <AANLkTikB-Xn-t-_0pHoY+9eWZueAUyXLfnd5cF=mJO9G@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB77373E@SISPE7MB1.commscope.com> <AANLkTimEMK2O5ZMR1HR3gRTX6H8bwmifKVQ4FvPQxotu@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB77374D@SISPE7MB1.commscope.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 27 Jul 2010 11:08:50 +0200
Message-ID: <AANLkTi=dZ-9NsNGFyOaqQDUFkJZ3JKV024PpsGm=qg8s@mail.gmail.com>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] cake and session stealing
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 09:08:52 -0000

On Tue, Jul 27, 2010 at 11:01 AM, Thomson, Martin
<Martin.Thomson@andrew.com> wrote:
>> There's a separate cake for every origin.  In particular, there's a
>> separate cake for http://bank.com and https://bank.com.  There is no
>> way for the attacker to learn or overwrite the cake for
>> https://bank.com.  That means whatever stateful interaction the user
>> has with the server on https://bank.com is protected from the
>> attacker.
>
> When you talked about this in the meeting, you talked about the step from unsecured http to TLS secured http.  I guess I misunderstood what you were trying to achieve.

You can't hope to protect that scenario from an active network
attacker.  We're interested in protecting against a web attacker
(i.e., an attacker who controls a web site, not a MITM).  I suspect
that the notion of a web attacker is an alien concept to many folks at
the IETF, but it's a very common notion in web security.

For a rigorous definition of a web attacker, please see:

http://www.adambarth.com/papers/2010/akhawe-barth-lam-mitchell-song.pdf

>> > The only solution I see to this is to treat anything that comes in on
>> an unsecured connection as suspect.  Online shopping services do this -
>> you build a cart, but they confirm again on the secured part (sometimes
>> several times).
>>
>> If a site uses http, there's nothing we can do to protect them from a
>> MITM attacker.  We're interested in protecting https sites from MITM
>> attackers.
>
> OK, I'm still trying to come to terms with the problem that you are solving.  The problem is that you are looking for a way to have session state that is not subject to the fragility of cookies.  A server wants to be able to correlate requests from the same client because the _server_ is storing state.

Yes.

> That doesn't scale particularly well, which was Mark's comment.

That might be his opinion, but that's how virtual every web site works.

> Here's another idea: hide the state in URIs.  Rely on the fact that the URIs are only seen by the one client.  No protocol changes there.

Storing state in URLs doesn't work very well for two reasons:

1) URLs are not secret.  They leak all the time (e.g., in Referer, by
copy paste, etc.)
2) URLs have even less integrity than cookies.  Cookies can be
overwritten by a network attacker, but URLs can be overwritten by just
a web attacker.

Various folks (e.g., PHP) tried state storage in URLs and it was an
unmitigated disaster.

Adam

v2.23.0 | Report a Bug | By Email