Re: [http-state] Origin cookies
Adam Barth <ietf@adambarth.com> Sun, 06 March 2011 03:11 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47CEC3A6ACC for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 19:11:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppLFCIMfe1mb for <http-state@core3.amsl.com>; Sat, 5 Mar 2011 19:11:00 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 663AD3A68D6 for <http-state@ietf.org>; Sat, 5 Mar 2011 19:10:58 -0800 (PST)
Received: by ywi6 with SMTP id 6so1517987ywi.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 19:12:09 -0800 (PST)
Received: by 10.236.66.110 with SMTP id g74mr544212yhd.88.1299381128718; Sat, 05 Mar 2011 19:12:08 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id 23sm776461yhl.23.2011.03.05.19.12.06 (version=SSLv3 cipher=OTHER); Sat, 05 Mar 2011 19:12:07 -0800 (PST)
Received: by iyj8 with SMTP id 8so3560160iyj.31 for <http-state@ietf.org>; Sat, 05 Mar 2011 19:12:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.39.129 with SMTP id g1mr1776916ibe.193.1299381126006; Sat, 05 Mar 2011 19:12:06 -0800 (PST)
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 19:12:05 -0800 (PST)
Received: by 10.231.40.7 with HTTP; Sat, 5 Mar 2011 19:12:05 -0800 (PST)
In-Reply-To: <420023720-1299380409-cardhu_decombobulator_blackberry.rim.net-1702579028-@bda461.bisx.prod.on.blackberry>
References: <AANLkTikTWEyOrUCZo3CbZeN61eqXEZ2JYeELV=R+paye@mail.gmail.com> <420023720-1299380409-cardhu_decombobulator_blackberry.rim.net-1702579028-@bda461.bisx.prod.on.blackberry>
Date: Sat, 05 Mar 2011 19:12:05 -0800
Message-ID: <AANLkTi=246sa7TDobB1XW6ptGiGiHU9UE0UydZUbmPST@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
To: remy@lebeausoftware.org
Content-Type: multipart/alternative; boundary="0003255763927189a4049dc7be85"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Origin cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2011 03:11:03 -0000
Consider a server at foo.example.com. How can that server determine if a cookie it receives was set by foo.example.com or by bar.example.com? There's a similar problem with HTTP/HTTPS, which is what causes the integrity problems with active network attackers. The Origin-Cookie header solves this problem by separating the cookies that were set by the same origin from cookies that use the goofy old security policy. Adam On Mar 5, 2011 7:01 PM, "Remy Lebeau" <remy@lebeausoftware.org> wrote: > Other than a typo near the end: > > "... the non-origin cookies are returned in the Origin-Cookie header field." > > I don't understand why a separate Origin-Cookie request header is needed. It seems the Origin attribute of a cookie simply says the cookie can only be sent back to the URL it came from, while the Path/Domain/Secure attributes allow the cookie to be sent to any URL that satisfies the combo. So why add extra complexity of a new header? How does the server validate the legitimacy of the Origin-Cookie versus what it already validates for the Cookie header? > > -----Original Message----- > From: Adam Barth <ietf@adambarth.com> > Sender: http-state-bounces@ietf.org > Date: Sat, 5 Mar 2011 17:46:54 > To: http-state<http-state@ietf.org> > Subject: [http-state] Origin cookies > > Hi http-state, > > Now that we're done with phase 1, I've updated my phase 2 proposal: > > http://www.ietf.org/id/draft-abarth-cake-01.txt > > There's a bunch of boilerplate (and missing sections) in that > document. The main idea is to provide a new cookie attribute that > lets server harmonize the security policy of their cookies with the > same-origin policy. Harmonizing the two policies has a number of > general security benefits because security vulnerabilities often arise > when there's an impedance mismatch between security policies. > Specifically, origin cookies mitigate an important security hole in > cookies by preventing active network attackers from setting cookies > that overwrite the session identifies used by HTTPS web sites, e.g. as > described in Section 8.6 of draft-ietf-httpstate-cookie. > > Let me know if you have any feedback. > > Thanks! > Adam > > > ----8<---- > > Abstract > > This document defines the Origin attribute for cookies, which lets > servers harmonize the security policy of their cookies with the > widely used same-origin policy. Origin cookies provide both > confidentiality and integrity, unlike the Secure attribute, which > provides only confidentiality. > > > 3. Overview > > Using the Origin attribute, a server can set a cookie for its origin. > Unlike the Path, Domain, and Secure attributes, the Origin attribute > harmonizes the security properties of the cookie with the same-origin > policy [cite: Principles of Origin]. In particular, the Origin > attribute provides both confidentiality and integrity from other > origins. > > The Origin attribute superceeds the Path, Domain, and Secure > attributes. The server can set these attributes as well to control > the scope of cookies in legacy user agents. User agents that support > origin cookies will ignore these attributes when the Origin attribute > is present. > > Origin cookies are returned from the user agent to the server in the > Origin-Cookie header field and not the Cookie header field because > the Cookie header field does not provide any information about the > source of the cookie. When the server receives a cookie in the > Origin-Cookie header field, the server can reason that the cookie was > set by its own origin, and not injected by another origin. > > 3.1. Examples > > The server can set an origin cookie, which is returned in the Origin- > Cookie header field. Origin cookies support all the same attributes > as other kinds of cookies, except Path, Domain, and Secure, which are > ignored. > > == Server -> User Agent == > > Set-Cookie: SID=31d4d96e407aad42; Origin > > == User Agent -> Server == > > Origin-Cookie: SID=31d4d96e407aad42 > > Non-origin cookies are returned in the Cookie header as usual. If > the user agent sends the server both origin and non-origin cookies, > the origin cookies are returned in the Origin-Cookie header field and > the non-origin cookies are returned in the Origin-Cookie header > field. > > == Server -> User Agent == > > Set-Cookie: SID=31d4d96e407aad42; Origin > Set-Cookie: lang=en-US; Path=/; Domain=example.com > > == User Agent -> Server == > > Cookie: lang=en-US > Origin-Cookie: SID=31d4d96e407aad42 > > ---->8---- > _______________________________________________ > http-state mailing list > http-state@ietf.org > https://www.ietf.org/mailman/listinfo/http-state > _______________________________________________ > http-state mailing list > http-state@ietf.org > https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies Remy Lebeau
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho
- Re: [http-state] Origin cookies Adam Barth
- Re: [http-state] Origin cookies tho