Re: draft-west-leave-secure-cookies-alone

Willy Tarreau <w@1wt.eu> Thu, 22 October 2015 05:48 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3774D1B2AA1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 21 Oct 2015 22:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zCd-ZoNlHj5w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 21 Oct 2015 22:48:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E1C1A875D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 21 Oct 2015 22:48:19 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zp8g2-0005RY-KI for ietf-http-wg-dist@listhub.w3.org; Thu, 22 Oct 2015 05:44:38 +0000
Resent-Date: Thu, 22 Oct 2015 05:44:38 +0000
Resent-Message-Id: <E1Zp8g2-0005RY-KI@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <w@1wt.eu>) id 1Zp8fy-0005Qr-GB for ietf-http-wg@listhub.w3.org; Thu, 22 Oct 2015 05:44:34 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1Zp8fv-0004hN-Rd for ietf-http-wg@w3.org; Thu, 22 Oct 2015 05:44:33 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t9M5i6SE004418; Thu, 22 Oct 2015 07:44:06 +0200
Date: Thu, 22 Oct 2015 07:44:06 +0200
From: Willy Tarreau <w@1wt.eu>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
Message-ID: <20151022054406.GC4405@1wt.eu>
References: <CABkgnnXnC+TxPipsvLaGmDtD31ACyUcwYvy2RfmO9k08tw9Y_w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnXnC+TxPipsvLaGmDtD31ACyUcwYvy2RfmO9k08tw9Y_w@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-7.3
X-W3C-Hub-Spam-Report: AWL=1.276, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Zp8fv-0004hN-Rd 5117cd7af5ee1fafd89cd8c5d7d3b778
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-west-leave-secure-cookies-alone
Archived-At: <http://www.w3.org/mid/20151022054406.GC4405@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30391
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Martin,

On Wed, Oct 21, 2015 at 03:05:31PM -0700, Martin Thomson wrote:
> The authors of the paper recommended that non-secure cookies be simply
> given less precedence, so that they could not override cookies set by
> their secure brethren.  That seems far less likely to cause
> compatibility issues.  But I do prefer the change in the draft, if it
> can be made to stick.

I do think as well that there are little risks. The corner case I'm
thinking about is when cookies are used for load balancing. I know
a number of places where the cookie is relied on to maintain the
stickiness between the HTTP and HTTPS sites. So the first cookie is
assigned when you visit the HTTP site, which quickly drives you to the
HTTPS site on the same server. The issue I'm seeing is that when the
server dies, the user must be brought to another server and here we
want to be sure that it is possible to change the server from the
HTTP site after it's been used for HTTPS. The good thing is that I
don't see a reason why a load balancer would pass the "secure" flag
on a stickiness cookie, so I think this should mostly be safe.

However in my opinion this proposal will not protect at all against
cookie injection before the first visit of the site. This is often
done by bringing the visitor to an unrelated site and injecting a
cookie that will be delivered to the target site after the visitor
goes there (through a link, redirect or JS url change).

I think in fact that what we're missing is the ability for the
browser to tell the server how it considers the cookie (secure or
not). The servers could then decide to ignore non-secure cookies
in this case and that would protect much better, including against
cookie injection. That would require updating the cookie syntax and
spec though since we can't pass attributes with cookies :-/

Willy