IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

Willy Tarreau <w@1wt.eu> Wed, 01 April 2015 15:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA6DB1ACD93 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 08:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6vWJaJd7H_w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 08:11:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE3461ACD92 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Apr 2015 08:11:32 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdKFF-00026w-O4 for ietf-http-wg-dist@listhub.w3.org; Wed, 01 Apr 2015 15:07:53 +0000
Resent-Date: Wed, 01 Apr 2015 15:07:53 +0000
Resent-Message-Id: <E1YdKFF-00026w-O4@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YdKFB-00026F-Gg for ietf-http-wg@listhub.w3.org; Wed, 01 Apr 2015 15:07:49 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YdKF5-000442-MQ for ietf-http-wg@w3.org; Wed, 01 Apr 2015 15:07:49 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t31F7GUA007880; Wed, 1 Apr 2015 17:07:16 +0200
Date: Wed, 01 Apr 2015 17:07:16 +0200
From: Willy Tarreau <w@1wt.eu>
To: Michael Sweet <msweet@apple.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20150401150716.GA7871@1wt.eu>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-2.015, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YdKF5-000442-MQ 27a05fe9d300be00959a399bbf290db2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/20150401150716.GA7871@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29180
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Michael,

On Wed, Apr 01, 2015 at 10:52:32AM -0400, Michael Sweet wrote:
> Um, no.  IP addresses, by themselves, have never been useful as unique client
> identifiers.  NAT, DHCP, proxies, roaming, etc. all contribute to their
> instability.

OK for this indeed.

> Typically the client address will be incorporated into the session cookie
> value which contains a hash of a timestamp, client address, client-supplied
> headers (like User-Agent), server-supplied nonce value, and user ID and
> password (for sites with user accounts).

Taking the user-agent would probably be more reliable than the IP address.

> The main reason for incorporating client values into the session cookie hash
> is to (imperfectly) tie the cookie to the identity of the client (vs. the
> user) and (imperfectly) protect against replay attacks, particularly for HTTP
> connections.
> 
> From an operational standpoint, I've used this method on dozens of web sites
> over the years and maybe had 10 reports of problems due to NAT/proxies, over
> millions of visitors.  There may be some "selection bias" in that number (all
> of my web sites have been tech-oriented) but I don't think this is something
> that affects a large number of users given its continued, widespread use.

Well, I've been used to see in average about 5% of users whose IP address will
change during a session on some large web sites. This is fairly common for
sites that people access from their work, and it's getting more common with
smartphones automatically picking a wifi access when they find one, which
is able to change after a few seconds/minutes of idle.

> (Note: I'm not claiming that this practice is perfect or that we shouldn't
> try to come up with something better...)

Anyway when cookies are stolen, the attacker is inside the browser. In banking
environments, the fraudulent operations are performed entirely from within the
browser so this sort of protection is totally useless since the cookie doesn't
need to be reused outside of this browser.

Regards,
Willy

v2.30.2 | Report a Bug | By Email | System Status