Cookies and schemes.
Mike West <mkwst@google.com> Mon, 09 March 2020 08:55 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB4E3A0A90 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Mar 2020 01:55:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.991
X-Spam-Level:
X-Spam-Status: No, score=-9.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTJ-83Cr_S6I for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Mar 2020 01:55:24 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BD393A0A78 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 9 Mar 2020 01:55:23 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jBE95-0002Ao-SG for ietf-http-wg-dist@listhub.w3.org; Mon, 09 Mar 2020 08:52:20 +0000
Resent-Date: Mon, 09 Mar 2020 08:52:19 +0000
Resent-Message-Id: <E1jBE95-0002Ao-SG@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mkwst@google.com>) id 1jBE90-0002A1-1l for ietf-http-wg@listhub.w3.org; Mon, 09 Mar 2020 08:52:14 +0000
Received: from mail-lj1-x22d.google.com ([2a00:1450:4864:20::22d]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <mkwst@google.com>) id 1jBE8x-000522-S7 for ietf-http-wg@w3.org; Mon, 09 Mar 2020 08:52:13 +0000
Received: by mail-lj1-x22d.google.com with SMTP id d12so9035490lji.4 for <ietf-http-wg@w3.org>; Mon, 09 Mar 2020 01:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=xNOoV7bi6x9ImlnnvsSH4MNMO5tC+cX4e1NKmNuJhDQ=; b=ryL1/BJq9U0iLzjYovZuA5uGshmoiTLxVgmJGJ+mR48m+K07R4VdxaVcGwiw4Dc+S4 B52U4e5Zq2OVgXEm+jjdYdo8qkyIWCKMW0Mr5CV9Lt4UzuG5QM7wZtkaOmtsBEi5NJuO Qn+3IOS230yUoZqxzpcZAhg0XM38WWAFbdY9eUJboty/yIT2Fq4k3qCrc6bRaxtQPALv xiwtiIQi8n7F9mrl1RtdMavCiWuP84zkC6rYaDTXmCcSn82QHpIbMKZUXa1PcQAVTIA4 3r2U6+L4UMTBVbmTA65qpMfct7newk1YhrL8SnMTc08Br1tOuhfUxJJOGStoTrmqnPjT 1rIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=xNOoV7bi6x9ImlnnvsSH4MNMO5tC+cX4e1NKmNuJhDQ=; b=sh3KT3ylk1k67gX/TWUGfGC7/Zf59JkU+s6A5PEvNWtjZs/DktwpkRodGeGoXY5xc7 H5gaT+A2oCpSCzgNn3/+5ptseMtQwTw25ur5gYOFzE7uq4Zz15ya08FUigTAb5ndDM+P mYy6PPu9yPhqHkx3TUwxP0vDLyxNbciI/L9A58Sk/eDBc6wWJeYwFQaUfeqVcC74yAUr INiO1Nhy9FJZ79ryEx+qXdGvH1bNy0q/Y873BtOQP9Kw0a5d2mXbjAcvRGPTV1RLe+mb Mj0WLkQ3ui1DAai50U6eskevc3GvC7xOaWuCJDArsNNxMD9yPN6RGYF6yC3pb98JVz/H Z1Mw==
X-Gm-Message-State: ANhLgQ2OM1YFDhZiI4lupI3zlt1rdBvB2gBK4j3CMco4Em4oxLK3PpZ9 H/PCLrjyVLqUkKueZ/Y2+tEkY2HU7nc1psUEVyEASnrpn9zlyUxP
X-Google-Smtp-Source: ADFU+vshcNVLZEmrxp+9VeovlHesrGQIa/Qn7OmfFP9O/0S6u4ZYKadCWQJnASrkjQ9Wm7U2FzNQUesRG2rKXpYlnco=
X-Received: by 2002:a05:651c:3cc:: with SMTP id f12mr8366905ljp.163.1583743919011; Mon, 09 Mar 2020 01:51:59 -0700 (PDT)
MIME-Version: 1.0
From: Mike West <mkwst@google.com>
Date: Mon, 09 Mar 2020 09:51:46 +0100
Message-ID: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: mt@lowentropy.net
Content-Type: multipart/alternative; boundary="000000000000b72e2905a0681dc8"
Received-SPF: pass client-ip=2a00:1450:4864:20::22d; envelope-from=mkwst@google.com; helo=mail-lj1-x22d.google.com
X-W3C-Hub-Spam-Status: No, score=-24.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jBE8x-000522-S7 8180aa6e15a3d030c7c1bd7e36dbbb52
X-Original-To: ietf-http-wg@w3.org
Subject: Cookies and schemes.
Archived-At: <https://www.w3.org/mid/CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37423
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey folks! We've known for quite some time that cookies' lack of respect for the scheme that created them was an unfortunate choice that means cookies can give only weak guarantees of confidentiality <https://tools.ietf.org/html/rfc6265#section-8.5>. We further know that long-lived non-secure cookies create real risks for users (pervasive monitoring, data safety, etc). Martin Thomson's https://tools.ietf.org/html/draft-thomson-http-omnomnom-00 is one take on an approach to mitigating these risks. https://github.com/mikewest/cookies-over-http-bad is another. Neither took off when they were proposed, but they seem to me to be clearly good ideas, at least directionally. Given the state of the world today, and the significant migration from HTTP to HTTPS we've seen in the past few years, I'd like to try tilting at this particular windmill again: https://github.com/mikewest/scheming-cookies proposes two changes: 1. We teach cookies about schemes, and lock them to the scheme that set them (just like every other web-facing storage mechanism). 2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of heuristics for a user's "session" on a given site, and culling cookies when a site's session expires. The explainer tries to work through each of those and their implications in a little more detail. I'd appreciate feedback, either here or in the GitHub repo. :) -mike
- Cookies and schemes. Mike West
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Martin Thomson
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Mike West
- Re: Cookies and schemes. Martin Thomson
- Re: Cookies and schemes. David Benjamin
- Re: Cookies and schemes. Spencer Dawkins at IETF
- Re: Cookies and schemes. Willy Tarreau
- Re: Cookies and schemes. Mike West