IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Sat, 04 April 2015 10:29 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1E731B2AAA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 4 Apr 2015 03:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iemRxH28poUQ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 4 Apr 2015 03:29:55 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1870F1B2AAC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 4 Apr 2015 03:29:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YeLII-0006n7-OO for ietf-http-wg-dist@listhub.w3.org; Sat, 04 Apr 2015 10:27:14 +0000
Resent-Date: Sat, 04 Apr 2015 10:27:14 +0000
Resent-Message-Id: <E1YeLII-0006n7-OO@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <evyncke@cisco.com>) id 1YeLIC-0006mI-7A for ietf-http-wg@listhub.w3.org; Sat, 04 Apr 2015 10:27:08 +0000
Received: from rcdn-iport-1.cisco.com ([173.37.86.72]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <evyncke@cisco.com>) id 1YeLIB-0003wr-5w for ietf-http-wg@w3.org; Sat, 04 Apr 2015 10:27:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8710; q=dns/txt; s=iport; t=1428143227; x=1429352827; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=he+SzjqgwcAM75Ed5UfaaDnm2rHWHC+jkyZq9+TuKBo=; b=AH9LIie4QeyRDIi5NUa3vC3DPa30FndWb4/9dRKTkwk0PrrZl8GS3CAx FHUbROO2dfCB22HvYyTqWyjtWGhXjlO74ghRiHT5NF1uCdc0/HIXXMgMs 8Ycv1afaurmjL/krJjIWgzfuc75Iw6Hgn081AIuNKfr5+PbbYSa0U/8YH c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ApBQAhux9V/40NJK1cgkVDUlwFgxDIXgIcgQlMAQEBAQEBfoQeAQEBBCNWEAIBCBEDAQIoAwICAh8RFAkIAgQBDQWIGwMRtFeSAw2FTAEBAQEBAQEBAQEBAQEBAQEBAQEBAReLKYJHgWcwChEHgmiBRQWQa4YcghmBTYEdjQaCaYNIIoICHYFQb4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,522,1422921600"; d="scan'208,217";a="406026843"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-1.cisco.com with ESMTP; 04 Apr 2015 10:26:41 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t34AQeBi012146 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 4 Apr 2015 10:26:40 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.130]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0195.001; Sat, 4 Apr 2015 05:26:40 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "Walter H." <Walter.H@mathemainzel.info>, Max Bruce <max.bruce12@gmail.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Linking a cookie to an IP address is a very bad in 2015...
Thread-Index: AQHQbryil9W4nlcIVkGcZNdWVbT8WZ09G4oA
Date: Sat, 04 Apr 2015 10:26:09 +0000
Message-ID: <D145888A.41A99%evyncke@cisco.com>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com> <551E3D00.5090501@mathemainzel.info> <CABb0SYQAOXRWL5TvD5H5g_4VDwLxF=6kzhmVgCSK8Pv7pq8Apw@mail.gmail.com> <551FB3A5.503@mathemainzel.info>
In-Reply-To: <551FB3A5.503@mathemainzel.info>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [10.55.185.71]
Content-Type: multipart/alternative; boundary="_000_D145888A41A99evynckeciscocom_"
MIME-Version: 1.0
Received-SPF: pass client-ip=173.37.86.72; envelope-from=evyncke@cisco.com; helo=rcdn-iport-1.cisco.com
X-W3C-Hub-Spam-Status: No, score=-14.6
X-W3C-Hub-Spam-Report: DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YeLIB-0003wr-5w 28bc3098ac6ce6690ca4488d9c6106a2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/D145888A.41A99%25evyncke@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29251
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Walter,

The session-ID can be in a session cookie (preferred) but also in the URL (which is of course not really secure).

Two hosts behind a NAT _may_ share the same IP address (usually there is a pool of IP addresses) and the TCP port keeps changing... No real way to point to one specific user-agent

Also, the I-D refers to another problem when the user-agent keeps changing of IP address ;-)

From: "Walter H." <Walter.H@mathemainzel.info<mailto:Walter.H@mathemainzel.info>>
Organization: Home
Date: samedi 4 avril 2015 11:49
To: Max Bruce <max.bruce12@gmail.com<mailto:max.bruce12@gmail.com>>
Cc: "ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>" <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Resent-From: <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Resent-Date: Sat, 4 Apr 2015 09:49:55 +0000

let me ask it different:  where is the Session ID, is it part of a http-header, part of a html-header, a session-cookie, or is it part of the URL itself that is requested?

the second: two ident configured hosts behind NAT do not differ neither in the user agent nor in the IP address; they only differ in the source TCP-port ...

On 03.04.2015 09:13, Max Bruce wrote:
When you say transmitting from host to server, what do you mean?
And yes, if I understand what your asking. It effectively compiled a random hash, and then enforced an IP & user agent. I have recently removed the IP enforecement though.

On Fri, Apr 3, 2015 at 12:10 AM, Walter H. <Walter.H@mathemainzel.info<mailto:Walter.H@mathemainzel.info>> wrote:
On 01.04.2015 21:48, Max Bruce wrote:
What about linking to several? I wrote a session system for my Web Server that will only allow access to the original Session ID if the IP & User-Agent has remained unchanged, in order to protect against session hijacking. I've found it's highly effective, unless you IP Spoof.
what kind of mechanism do you use for transmitting the Session ID from host to server?
does it prevent access from an ident configured but different host behind a NAT?

v2.23.0 | Report a Bug | By Email