Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
David Morris <dwm@xpasc.com> Wed, 24 February 2010 21:17 UTC
Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 26B093A8515 for <http-state@core3.amsl.com>;
Wed, 24 Feb 2010 13:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.953
X-Spam-Level:
X-Spam-Status: No, score=-1.953 tagged_above=-999 required=5 tests=[AWL=0.646,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoFuOYww9FQB for
<http-state@core3.amsl.com>; Wed, 24 Feb 2010 13:17:42 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by
core3.amsl.com (Postfix) with ESMTP id B0C683A7664 for <http-state@ietf.org>;
Wed, 24 Feb 2010 13:17:42 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by
bslepgate.xpasc.com (Postfix-out) with ESMTP id 10701101852 for
<http-state@ietf.org>; Wed, 24 Feb 2010 13:19:51 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port
7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ura2oljP0;
Wed, 24 Feb 2010 13:19:51 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com
(Postfix-out) with ESMTP id EC67A10184A for <http-state@ietf.org>;
Wed, 24 Feb 2010 13:19:50 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com
(8.13.8/8.13.8) with ESMTP id o1OLJo9H021192 for <http-state@ietf.org>;
Wed, 24 Feb 2010 13:19:50 -0800
Date: Wed, 24 Feb 2010 13:19:50 -0800 (PST)
From: David Morris <dwm@xpasc.com>
To: http-state <http-state@ietf.org>
In-Reply-To: <5c4444771002240926j3f4e859cq8bfcf7be34cf7e5f@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1002241305230.18807@egate.xpasc.com>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com>
<4C374A2653EB5E43AF886CE70DFC567213CEF5CE46@34093-MBX-C03.mex07a.mlsrvr.com>
<5c4444771002231929m3749c1c2g7903b444155dafa7@mail.gmail.com>
<4B84DF96.7070709@gmx.de>
<5c4444771002240926j3f4e859cq8bfcf7be34cf7e5f@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Propel-ID: iz6Ura2oljP0
Subject: Re: [http-state] Whether to recommend the cookie protocol (was
Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>,
<mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>,
<mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 21:17:44 -0000
On Wed, 24 Feb 2010, Adam Barth wrote: > > [[ > The cookie protocol has many > historical infelicities that degrade its security and privacy. > ]] Better, but I think 'infelicities' is not a common word and its use would make the docuemnt harder to read. > > How do folks feel about this related statement in Security Considerations: > > [[ > <t>For applications that use the cookie protocol, servers SHOULD > NOT rely upon cookies for security.</t> > ]] Given that we are documenting an existing protocol, a SHOULD NOT statement is probabaly excessive. I think we should instead stress (and document those that are known) that there are many opportunities to compromise the content of cookies including insertion of rogue cookies and/or removing valid cookies. Hence, the design of applications which depend on cookies should carefully consider the impact on application data integrity (and security) if the cookie mechanism is subverted. In this context, I use application in the classic sense of a set of computer software which delivers some form of service to people or other computer applications.
- [http-state] Whether to recommend the cookie prot… Adam Barth
- Re: [http-state] Whether to recommend the cookie … Blake Frantz
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Julian Reschke
- Re: [http-state] Whether to recommend the cookie … Maciej Stachowiak
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Achim Hoffmann