Re: [http-state] Welcome to http-state
"Blake Frantz" <bfrantz@cisecurity.org> Tue, 13 January 2009 16:14 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1686D3A6956; Tue, 13 Jan 2009 08:14:47 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B19D3A6944 for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 08:14:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBqReODb-etC for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 08:14:42 -0800 (PST)
Received: from Nexus.cisecurity.org (nexus.cisecurity.org [128.121.47.218]) by core3.amsl.com (Postfix) with ESMTP id ACA343A6877 for <http-state@ietf.org>; Tue, 13 Jan 2009 08:14:40 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 13 Jan 2009 11:14:09 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CE6@Nexus.cisecurity.lan>
In-Reply-To: <7789133a0901121658o6935826dmef551c47dea9fd49@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1GglEUjpj+SqfQ+CCH/VTUHHeFgAAXGug
References: <49679299.6060703@corry.biz><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan><7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan><7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com><120206B6A348CA498C70E738A2E963514C0CDB@Nexus.cisecurity.lan> <7789133a0901121658o6935826dmef551c47dea9fd49@mail.gmail.com>
From: Blake Frantz <bfrantz@cisecurity.org>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
> I don't understand what you mean by "actively asserts." My point is > that a browser cannot do this with the current headers without a > unbounded amount of storage. When the user agent sends a Content-Integrity header it is actively asserting the cookie's integrity level. Regarding storage, we've gone full circle on this one. I'm thinking our time might be better served if we spent 15 mins on the phone to talk this through. That, or shoot me additional information on the storage-based implications you are referring to. I would appreciate the education. If you have some time to discuss this, give me a call any time at (206) 384 3023 or shoot me your number and a good time to call you. > How would you know if you've encountered instance of this pattern? I would have hopefully logged an improper session termination bug against one of the sites I had performed security testing on. If the logout handler operates over HTTP and the session ID is stuffed in a Secure cookie then the logout handler would have no idea which session it should terminate because it would not have access to the session ID. This would result in a lingering session. I don't recall writing about an improper session termination bug that was manifest due to the logout handler being exposed over HTTP vice HTTPS. Again, my experience does not mean this pattern isn't implemented all over the place. Blake _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry