IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Bjoern Hoehrmann <derhoermi@gmx.net> Fri, 10 December 2010 02:05 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7808328C131 for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 18:05:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.924
X-Spam-Level:
X-Spam-Status: No, score=-3.924 tagged_above=-999 required=5 tests=[AWL=-1.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nG090HwF3Hfe for <hybi@core3.amsl.com>; Thu, 9 Dec 2010 18:05:02 -0800 (PST)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 87D8328C12D for <hybi@ietf.org>; Thu, 9 Dec 2010 18:05:00 -0800 (PST)
Received: (qmail invoked by alias); 10 Dec 2010 02:06:30 -0000
Received: from dslb-094-222-156-080.pools.arcor-ip.net (EHLO xn--bjrn-6qa.xn--hhrmann-90a.de) [94.222.156.80] by mail.gmx.net (mp016) with SMTP; 10 Dec 2010 03:06:30 +0100
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/Z/CR3vXHZLGvfGeeCbD4bkJxlrYb3DTOFlQO+c6 wYSfPLRQSYT/oo
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Zhong Yu <zhong.j.yu@gmail.com>
Date: Fri, 10 Dec 2010 03:06:19 +0100
Message-ID: <c423g69bqtfrplo24vr3mfp94aut2n5iq0@hive.bjoern.hoehrmann.de>
References: <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <1291905941.2315.2113.camel@ds9.ducksong.com> <4D011146.3080906@caucho.com> <AANLkTi=CKU8H5A2f7rSGZ9h5mrp=NZW0yLB9O6=MDW5i@mail.gmail.com> <AANLkTimg774w-JVExm4YQJzuBv3gaJZOLMo5OymDsMiE@mail.gmail.com> <AANLkTik5ce7VkZrYW=Yp9ST0T1hmAfXYWXqoqfgtsdPh@mail.gmail.com> <AANLkTi=ofWZxKT=7DYUSArQTqsePZECOix5fkySGjZAt@mail.gmail.com> <AANLkTi=eQc-skps5QdoyMvz0_G53NapK-QK5JG9p+8He@mail.gmail.com>
In-Reply-To: <AANLkTi=eQc-skps5QdoyMvz0_G53NapK-QK5JG9p+8He@mail.gmail.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 02:05:04 -0000

* Zhong Yu wrote:
>On Thu, Dec 9, 2010 at 7:09 PM, John Tamplin <jat@google.com> wrote:
>> Not if you want to associate an HTTP-only cookie with the connection such
>> that hostile JS can't interfere with it.
>
>I don't get HTTP-only cookie. If hostile JS is running, it has access
>to everything that user has access to. It doesn't know the exact value
>of http-only cookie, or TCP seq number, but it doesn't care.

Consider the simple case of a cookie value "username=x,password=y" (or
some other value that remains valid for a long time); if the attacker
can inject script but cannot read the secret, the attack will be over
as soon as the user closes the browser tab the code is running in. But
if he does learn the secret, the attack can last for a long time. Think
reading today's mails versus today's mails and tomorrow's. Obviously
using cookies this way, much as having script injection vulnerabilities
is a security flaw.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email