IETF Logo Mail Archive

Re: Signing Set-Cookie

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 08 June 2022 07:58 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35184C13C2FB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 8 Jun 2022 00:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.661
X-Spam-Level:
X-Spam-Status: No, score=-2.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phGama0H4KcD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 8 Jun 2022 00:58:32 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A022DC13C2FC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 8 Jun 2022 00:58:19 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nyqXn-0005rp-H9 for ietf-http-wg-dist@listhub.w3.org; Wed, 08 Jun 2022 07:55:59 +0000
Resent-Date: Wed, 08 Jun 2022 07:55:59 +0000
Resent-Message-Id: <E1nyqXn-0005rp-H9@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ilariliusvaara@welho.com>) id 1nyqXm-0005qv-2v for ietf-http-wg@listhub.w3.org; Wed, 08 Jun 2022 07:55:58 +0000
Received: from welho-filter2b.welho.com ([83.102.41.28] helo=welho-filter2.welho.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ilariliusvaara@welho.com>) id 1nyqXk-0007ZH-6j for ietf-http-wg@w3.org; Wed, 08 Jun 2022 07:55:57 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 5074AC4BF7 for <ietf-http-wg@w3.org>; Wed, 8 Jun 2022 10:55:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id GKPL-udDpUuB for <ietf-http-wg@w3.org>; Wed, 8 Jun 2022 10:55:43 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 112792316 for <ietf-http-wg@w3.org>; Wed, 8 Jun 2022 10:55:42 +0300 (EEST)
Date: Wed, 08 Jun 2022 10:55:41 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <YqBV/RlfyTe1P+f7@LK-Perkele-VII2.locald>
References: <A0601849-2870-4150-9926-5FA706D7F6DE@mit.edu> <CACcvr==K0gjhOaBaxt8vK80UYo1tAHVrh78yCcAEMvwx4tT=ag@mail.gmail.com> <7dff30c8-faac-413f-8387-f0a5a51fc6ff@beta.fastmail.com> <A659F1C6-97D6-48FB-BDED-B885AF93E553@mit.edu> <5f586a5b-4d62-40c8-8fa8-f747d08fd52f@beta.fastmail.com> <20220607062716.GA5885@1wt.eu> <E20AAD79-5757-4269-BFB1-6DD6CA8B2867@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <E20AAD79-5757-4269-BFB1-6DD6CA8B2867@mit.edu>
Sender: ilariliusvaara@welho.com
Received-SPF: pass client-ip=83.102.41.28; envelope-from=ilariliusvaara@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1nyqXk-0007ZH-6j 634458047fd9fa70f9e22d5d7024ef33
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signing Set-Cookie
Archived-At: <https://www.w3.org/mid/YqBV/RlfyTe1P+f7@LK-Perkele-VII2.locald>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40083
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Jun 07, 2022 at 01:31:55PM -0400, Justin Richer wrote:
> 
> While I agree that the combination could potentially be problematic,
> and definitely is distasteful from a security purity standpoint, what
> I’m not seeing is an attack where two distinct non-theoretical valid
> values of Set-Cookie could be combined into another valid Set-Cookie
> header. Yes in theory there’s a comma in the syntax, but I’m not
> seeing how that could be used to mount an actual attack in a
> meaningful way. The two Set-Cookie headers combined would need to have
> the exact same content as the single Set-Cookie header on its own, but
> be interpreted in a different way by the verifier in such a way that
> would affect the application. The attacker here isn’t substituting a
> completely different value, and is not adding a value where one wasn’t
> before. Can someone please give me a concrete demonstration that shows
> this is something we should actually protect against and not just
> something to warn against?

As some others have said, this kind of reasoning is dangerous. Attackers
seem to be much more inventive than defenders. :-)

Looking at the the Set-Cookie syntax, it seems that the actual cookies
can not cause trouble, it is future-extension attribute-values that can
get confused. However, the grammar looks just odd (even in RFC6265bis),
as both quoted and unquoted forms seem to share the same character set,
which, for example does not include comma. This looks like an error in
the spec (but might be intentional?).

However, given how messy cookies are, I would not be surprised if there
are endpoints that send unquoted cookies with commas and spaces in it,
and expect the thing to work.


> Regardless, what is the recommended approach? Martin’s seems to be
> “throw out HTTP Signatures entirely”, but he’s said that since the
> work started. :) What I think though is that we’ve got a few potential
> approaches:

Realistically, I do not see much overlap between HTTP signatures and
set-cookie. Cookies are mostly associated with browsers, and:

- I do not expect signatures to have much use there.
- I expect other applications to use other mechanisms to accomplish
  similar goals as of using cookies in browser.
- I expect set-cookie to be privileged in browsers, not disclosed to
  scripts (since httponly cookies exist).

>  - Never sign Set-Cookie
>  - Never sign multiple Set-Cookie headers
>  - Have a special syntax for dealing with Set-Cookie (probably a
>    derived component, but I’m not thrilled about this one)
>  - Warn against weirdness with multiple Set-Cookie headers
> 
> Any other approaches?

Dirty hack, Use ASCII RS (0x1E) as separator for set-cookie. :-) 

But one might still need to be bit careful with that. Even if some
endpoint treats RS in HTTP/1.x as instantly fatal to connection, it
might still be accepted in HTTP/2 (since the header encoding is 8-bit
clean). In HTTP reverse proxy I have written, RS is not allowed in
HTTP/2, however the code that disallows that is entierely separate
from the code that disallows it in HTTP/1.x.


-Ilari

v2.23.0 | Report a Bug | By Email