Re: [http-state] Welcome to http-state
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Mon, 12 January 2009 22:41 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C86A63A67C0; Mon, 12 Jan 2009 14:41:59 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B56AF3A695B for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:41:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.599
X-Spam-Level:
X-Spam-Status: No, score=-8.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssDc4Sy6CXxb for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:41:57 -0800 (PST)
Received: from smtp.opera.com (sam.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 5D4243A67C0 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:41:56 -0800 (PST)
Received: from nimisha.oslo.opera.com (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n0CMfZHY020176 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <http-state@ietf.org>; Mon, 12 Jan 2009 22:41:40 GMT
Date: Mon, 12 Jan 2009 23:41:31 +0100
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
MIME-Version: 1.0
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
Message-ID: <op.unn1bhjxqrq7tp@nimisha.oslo.opera.com>
In-Reply-To: <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
User-Agent: Opera Mail/9.26 (Win32)
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-15"; Format="flowed"; DelSp="yes"
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
On Mon, 12 Jan 2009 22:59:43 +0100, Adam Barth <ietf@adambarth.com> wrote: > On Mon, Jan 12, 2009 at 1:47 PM, Blake Frantz <bfrantz@cisecurity.org> > wrote: >> Agreed that cross-scheme clobbering is historically allowed by user >> agents. However, clobbering a cookie is different than causing a cookie >> to be evicted. The former impacts the integrity of the cookie while the >> latter impacts cookie availability. The purpose of an anti-clobber >> mechanism is to protect the integrity of the Secure cookie. > > The attacker can still disrupt the integrity of the Secure cookie by > first causing the cookie to be evicted and then creating a new, > non-Secure cookie with the same name. This has the same effect as > overwriting the Secure cookie. > > An alternate way to protect the integrity of Secure cookies is to add > a "Cookie-Integrity" header that lists the cookies set over HTTPS, as > described in 6.2 of > http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf Please note that RFC2965 already have such integrity checking through the $Domain, $Path and $Port attributes. It might be that $Secure should be added as well, but using Port="443" should already take care of that rather nicely. Also, my cookie-v2 draft suggest always sending the $Domain&Co parameters to allow servers to verify the domain of a cookie, and a $Origin attribute for v0 and v1 cookies to permit the receiver to know who set the cookie. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry