considerations for draft-west-leave-secure-cookies-alone-04

Adam Barth <w3c@adambarth.com> Wed, 23 December 2015 04:15 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252C21ABD38 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Dec 2015 20:15:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.029
X-Spam-Level:
X-Spam-Status: No, score=-6.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXnF6M-ZBp-J for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Dec 2015 20:15:02 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D566C1ABD35 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 22 Dec 2015 20:15:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aBamK-0005NS-31 for ietf-http-wg-dist@listhub.w3.org; Wed, 23 Dec 2015 04:11:56 +0000
Resent-Date: Wed, 23 Dec 2015 04:11:56 +0000
Resent-Message-Id: <E1aBamK-0005NS-31@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adam@adambarth.com>) id 1aBam4-0005MY-SN for ietf-http-wg@listhub.w3.org; Wed, 23 Dec 2015 04:11:40 +0000
Received: from mail-wm0-f47.google.com ([74.125.82.47]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <adam@adambarth.com>) id 1aBam2-0004eO-OU for ietf-http-wg@w3.org; Wed, 23 Dec 2015 04:11:40 +0000
Received: by mail-wm0-f47.google.com with SMTP id l126so133153046wml.0 for <ietf-http-wg@w3.org>; Tue, 22 Dec 2015 20:11:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=8OAp10S1HjQ1aZ9Swe/waQ+irP3az+kW8v+DxbdizHQ=; b=ZhJj2q2ESZBzYHceMPFDn2J79glAJZ7gOJ6EvAhjHVZOChVYraaG580kfyfG1MDr7v vNNVmSRo8P1O9TpuEmrT2SXGpb6ge9o0pCI9xuVJ8F15FW5fgVKNRkes4X87xevOR2bM EXhMutBZCOWyUkdJn0x/KoUAxsfnPNxGdUfJBgSl66oFHBG8TpNRVay2h6dSIAdP7p5l HgkH0aHgTmIhf6ogCG4fuiCZAjttdd9xpBLoSiidVcbTSG1ufbochIDsD3r43BLDRrG4 mnmWVqPTrbimEkTHyUseaZPLYp7GkCQsXCje56RuUZuU7B6Sl3mpx+29TG9qyU7uPVD1 8O/A==
X-Gm-Message-State: ALoCoQmFzhkJVTR5wCjsylicxqJqVak1bnVLGHXtvnx0R99C4pFBVTiMkNem8r7AgaDWEWgNULaN84RPnWEIBfBu0UcrO2g8qw==
X-Received: by 10.28.17.7 with SMTP id 7mr29217594wmr.45.1450843871587; Tue, 22 Dec 2015 20:11:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.89.138 with HTTP; Tue, 22 Dec 2015 20:10:52 -0800 (PST)
From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Dec 2015 20:10:52 -0800
Message-ID: <CADBiRd0pgpMt=XYv-icOXMw1j4Wuc7yxad1S7hH_Ba82GjzmSA@mail.gmail.com>
To: httpbis <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a1145aa24974a6f052788e9eb"
Received-SPF: none client-ip=74.125.82.47; envelope-from=adam@adambarth.com; helo=mail-wm0-f47.google.com
X-W3C-Hub-Spam-Status: No, score=-6.6
X-W3C-Hub-Spam-Report: AWL=-0.281, BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aBam2-0004eO-OU 234183b8f18f33f9b559d3882a7cc18d
X-Original-To: ietf-http-wg@w3.org
Subject: considerations for draft-west-leave-secure-cookies-alone-04
Archived-At: <http://www.w3.org/mid/CADBiRd0pgpMt=XYv-icOXMw1j4Wuc7yxad1S7hH_Ba82GjzmSA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30818
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

As written, draft-west-leave-secure-cookies-alone-04 gives the impression
that it solves the secure cookie integrity problem.  However, there's still
a risk that a network attacker can set a non-secure cookie before the
honest server gets a chance to set a secure cookie.  Because the secure
cookie doesn't yet exist in the cookie store, the user agent with accept
the non-secure cookie and the honest server might still be fooled.

IMHO, we should explain this risk in the security considerations section.
Here's some example text that you should feel free to edit/use/ignore:

---8<---
Although user agents prevent insecure URIs from overwriting cookies with
the Secure attribute, a network attacker might still be able to inject
cookies into the Cookie header sent to https://example.com/ if the attacker
is able to impersonate a response from http://example.com/ before the user
agent receives a genuine response from https://example.com/.  In that
situation, the user agent will accept the attacker's cookie because the
genuine cookie does not yet exist in the user agent's cookie store. The
HTTPS server at example.com will be unable to distinguish these cookies
from cookies that it set itself in an HTTPS response.  An active network
attacker might be able to leverage this ability to mount an attack against
example.com even if example.com uses HTTPS exclusively.
--->8----

Adam