Re: [http-state] Security considerations overview
Maciej Stachowiak <mjs@apple.com> Wed, 03 March 2010 00:11 UTC
Return-Path: <mjs@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E33C3A8CC0 for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 16:11:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WW3pa6XwNRfd for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 16:11:56 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 1A5A83A8D02 for <http-state@ietf.org>; Tue, 2 Mar 2010 16:11:55 -0800 (PST)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id 7ABCA8770437 for <http-state@ietf.org>; Tue, 2 Mar 2010 16:11:56 -0800 (PST)
X-AuditID: 11807136-b7bafae000000e8d-58-4b8da94c4770
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay15.apple.com (Apple SCV relay) with SMTP id D2.7A.03725.C49AD8B4; Tue, 2 Mar 2010 16:11:56 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Received: from [17.151.124.138] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KYO00J8NJ7WTO40@et.apple.com> for http-state@ietf.org; Tue, 02 Mar 2010 16:11:56 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com>
Date: Tue, 02 Mar 2010 16:11:55 -0800
Message-id: <D88C1747-4C28-43DB-9BBD-5EB951CCD471@apple.com>
References: <5c4444771003021103s422a65c3me96af57dfee58105@mail.gmail.com> <Pine.LNX.4.64.1003021139330.4097@egate.xpasc.com> <5c4444771003021205t78c18f73t78913ae6ff3c70b1@mail.gmail.com> <Pine.LNX.4.64.1003021337130.21569@egate.xpasc.com> <5c4444771003021354o70faccache31b8a0d28005aeb@mail.gmail.com> <5691356f1003021438t1487d6d0g39439a2bdc3543ce@mail.gmail.com> <5c4444771003021452g44538236ta855abcfe6d578da@mail.gmail.com> <Pine.LNX.4.64.1003021508100.21569@egate.xpasc.com> <5c4444771003021539i2ed4ea44mf6b52970bc52385b@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Security considerations overview
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 00:11:57 -0000
On Mar 2, 2010, at 3:39 PM, Adam Barth wrote: > > The issue is quite simple: > > 1) In an HTTPS response, the example.com server responds with > "Set-Cookie: foo=bar". By default (i.e., without the optional Secure > attribute), this cookie does not have the secure-only-flag set. > 2) The user agent makes a single HTTP request. > 3) The network attacker spoofs an HTTP response that contains an HTTP > redirect to http://example.com/. > 4) The user agent follows the redirect and sends the cookie foo in the > clear, where it can be observed by the attacker. Sounds like attacker can violate the integrity, as well as confidentiality, of non-Secure cookies this way (i.e. they could spoof the non-SSL response and set the cookie to the value of their choice.) Can this type of attack also affect the integrity of Secure cookies, or is there something to prevent them from being overwritten from non- SSL? Regards, Maciej
- [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Tyler Close
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Maciej Stachowiak
- Re: [http-state] Security considerations overview Maciej Stachowiak
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview =JeffH
- Re: [http-state] Security considerations overview Tyler Close
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview Dan Witte
- Re: [http-state] Security considerations overview Achim Hoffmann
- Re: [http-state] Security considerations overview Adam Barth
- Re: [http-state] Security considerations overview Mark Pauley
- Re: [http-state] Security considerations overview David Morris
- Re: [http-state] Security considerations overview Adam Barth