IETF Logo Mail Archive

Re: [http-state] Origin cookies

Adam Barth <ietf@adambarth.com> Sun, 06 March 2011 03:11 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47CEC3A6ACC for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 19:11:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppLFCIMfe1mb for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 19:11:00 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 663AD3A68D6 for <http-state@ietf.org>; Sat, 5 Mar 2011 19:10:58 -0800 (PST)
Received: by ywi6 with SMTP id 6so1517987ywi.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 19:12:09 -0800 (PST)
Received: by 10.236.66.110 with SMTP id g74mr544212yhd.88.1299381128718; Sat, 05 Mar 2011 19:12:08 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id 23sm776461yhl.23.2011.03.05.19.12.06 (version=SSLv3 cipher=OTHER); Sat, 05 Mar 2011 19:12:07 -0800 (PST)
Received: by iyj8 with SMTP id 8so3560160iyj.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 19:12:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.39.129 with SMTP id g1mr1776916ibe.193.1299381126006; Sat, 05 Mar 2011 19:12:06 -0800 (PST)
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 19:12:05 -0800 (PST)
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 19:12:05 -0800 (PST)
In-Reply-To: <420023720-1299380409-cardhu_decombobulator_blackberry.rim.net-1702579028-@bda461.bisx.prod.on.blackberry>
References: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com> <420023720-1299380409-cardhu_decombobulator_blackberry.rim.net-1702579028-@bda461.bisx.prod.on.blackberry>
Date: Sat, 05 Mar 2011 19:12:05 -0800
Message-ID: <AANLkTi=246sa7TDobB1XW6ptGiGiHU9UE0UydZUbmPST@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
To: remy@lebeausoftware.org
Content-Type: multipart/alternative; boundary="0003255763927189a4049dc7be85"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Origin cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2011 03:11:03 -0000

Consider a server at foo.example.com.  How can that server determine if a
cookie it receives was set by foo.example.com or by bar.example.com?
There's a similar problem with HTTP/HTTPS, which is what causes the
integrity problems with active network attackers.  The Origin-Cookie header
solves this problem by separating the cookies that were set by the same
origin from cookies that use the goofy old security policy.

Adam
 On Mar 5, 2011 7:01 PM, "Remy Lebeau" <remy@lebeausoftware.org> wrote:
> Other than a typo near the end:
>
> "... the non-origin cookies are returned in the Origin-Cookie header
field."
>
> I don't understand why a separate Origin-Cookie request header is needed.
It seems the Origin attribute of a cookie simply says the cookie can only be
sent back to the URL it came from, while the Path/Domain/Secure attributes
allow the cookie to be sent to any URL that satisfies the combo. So why add
extra complexity of a new header? How does the server validate the
legitimacy of the Origin-Cookie versus what it already validates for the
Cookie header?
>
> -----Original Message-----
> From: Adam Barth <ietf@adambarth.com>
> Sender: http-state-bounces@ietf.org
> Date: Sat, 5 Mar 2011 17:46:54
> To: http-state<http-state@ietf.org>
> Subject: [http-state] Origin cookies
>
> Hi http-state,
>
> Now that we're done with phase 1, I've updated my phase 2 proposal:
>
> http://www.ietf.org/id/draft-abarth-cake-01.txt
>
> There's a bunch of boilerplate (and missing sections) in that
> document. The main idea is to provide a new cookie attribute that
> lets server harmonize the security policy of their cookies with the
> same-origin policy. Harmonizing the two policies has a number of
> general security benefits because security vulnerabilities often arise
> when there's an impedance mismatch between security policies.
> Specifically, origin cookies mitigate an important security hole in
> cookies by preventing active network attackers from setting cookies
> that overwrite the session identifies used by HTTPS web sites, e.g. as
> described in Section 8.6 of draft-ietf-httpstate-cookie.
>
> Let me know if you have any feedback.
>
> Thanks!
> Adam
>
>
> ----8<----
>
> Abstract
>
> This document defines the Origin attribute for cookies, which lets
> servers harmonize the security policy of their cookies with the
> widely used same-origin policy. Origin cookies provide both
> confidentiality and integrity, unlike the Secure attribute, which
> provides only confidentiality.
>
>
> 3. Overview
>
> Using the Origin attribute, a server can set a cookie for its origin.
> Unlike the Path, Domain, and Secure attributes, the Origin attribute
> harmonizes the security properties of the cookie with the same-origin
> policy [cite: Principles of Origin]. In particular, the Origin
> attribute provides both confidentiality and integrity from other
> origins.
>
> The Origin attribute superceeds the Path, Domain, and Secure
> attributes. The server can set these attributes as well to control
> the scope of cookies in legacy user agents. User agents that support
> origin cookies will ignore these attributes when the Origin attribute
> is present.
>
> Origin cookies are returned from the user agent to the server in the
> Origin-Cookie header field and not the Cookie header field because
> the Cookie header field does not provide any information about the
> source of the cookie. When the server receives a cookie in the
> Origin-Cookie header field, the server can reason that the cookie was
> set by its own origin, and not injected by another origin.
>
> 3.1. Examples
>
> The server can set an origin cookie, which is returned in the Origin-
> Cookie header field. Origin cookies support all the same attributes
> as other kinds of cookies, except Path, Domain, and Secure, which are
> ignored.
>
> == Server -> User Agent ==
>
> Set-Cookie: SID=31d4d96e407aad42; Origin
>
> == User Agent -> Server ==
>
> Origin-Cookie: SID=31d4d96e407aad42
>
> Non-origin cookies are returned in the Cookie header as usual. If
> the user agent sends the server both origin and non-origin cookies,
> the origin cookies are returned in the Origin-Cookie header field and
> the non-origin cookies are returned in the Origin-Cookie header
> field.
>
> == Server -> User Agent ==
>
> Set-Cookie: SID=31d4d96e407aad42; Origin
> Set-Cookie: lang=en-US; Path=/; Domain=example.com
>
> == User Agent -> Server ==
>
> Cookie: lang=en-US
> Origin-Cookie: SID=31d4d96e407aad42
>
> ---->8----
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state

v2.23.0 | Report a Bug | By Email