Re: Linking a cookie to an IP address is a very bad in 2015...
Willy Tarreau <w@1wt.eu> Thu, 02 April 2015 19:36 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9261A0103 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 12:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEFFfsDjqSYF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 12:36:21 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E95C1A00F7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Apr 2015 12:36:21 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ydkra-0003yb-KA for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Apr 2015 19:33:14 +0000
Resent-Date: Thu, 02 Apr 2015 19:33:14 +0000
Resent-Message-Id: <E1Ydkra-0003yb-KA@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YdkrX-0003xu-0i for ietf-http-wg@listhub.w3.org; Thu, 02 Apr 2015 19:33:11 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YdkrW-0006Yx-1t for ietf-http-wg@w3.org; Thu, 02 Apr 2015 19:33:10 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t32JWh0q008879; Thu, 2 Apr 2015 21:32:43 +0200
Date: Thu, 02 Apr 2015 21:32:43 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Walter H." <Walter.H@mathemainzel.info>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20150402193243.GA8875@1wt.eu>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <551D9397.3070300@mathemainzel.info>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <551D9397.3070300@mathemainzel.info>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-2.023, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YdkrW-0006Yx-1t 2560e060e306dc63996f5b510650a809
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/20150402193243.GA8875@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29227
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Thu, Apr 02, 2015 at 09:08:07PM +0200, Walter H. wrote: > think of the following: > in my country there existed a bank, that had in its electronic banking > no session cookies; > they had a worse solution, > the session was stored in the URL, so it was possible not only on > another browser or session of the same computer to use this URL > also on another computer, because, the WAN address was the same ... You will never get rid of developers who do crap until they are responsible for the impact of their ignorance or lack of care. > and now think of MITM, nothing easier than this, you use the same session; > can you really proof, money is lost, and it was not you? At least in my country, it's the bank who needs to prove it was me. That makes a huge difference because they go to great length analysing fraud and take security with seriousness. Willy
- Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Walter H.