Re: [http-state] Welcome to http-state

On Mon, 12 Jan 2009 22:59:43 +0100, Adam Barth <ietf@adambarth.com> wrote:

> On Mon, Jan 12, 2009 at 1:47 PM, Blake Frantz <bfrantz@cisecurity.org>  
> wrote:
>> Agreed that cross-scheme clobbering is historically allowed by user
>> agents. However, clobbering a cookie is different than causing a cookie
>> to be evicted. The former impacts the integrity of the cookie while the
>> latter impacts cookie availability. The purpose of an anti-clobber
>> mechanism is to protect the integrity of the Secure cookie.
>
> The attacker can still disrupt the integrity of the Secure cookie by
> first causing the cookie to be evicted and then creating a new,
> non-Secure cookie with the same name.  This has the same effect as
> overwriting the Secure cookie.
>
> An alternate way to protect the integrity of Secure cookies is to add
> a "Cookie-Integrity" header that lists the cookies set over HTTPS, as
> described in 6.2 of
> http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

Please note that RFC2965 already have such integrity checking through the  
$Domain, $Path and $Port attributes.

It might be that $Secure should be added as well, but using Port="443"  
should already take care of that rather nicely.

Also, my cookie-v2 draft suggest always sending the $Domain&Co parameters  
to allow servers to verify the domain of a cookie, and a $Origin attribute  
for v0 and v1 cookies to permit the receiver to know who set the cookie.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state