Re: [secdir] Secdir review of draft-ietf-httpbis-p6-cache-20

Mark Nottingham <> Wed, 05 September 2012 03:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0DC6821F844E for <>; Tue, 4 Sep 2012 20:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.299
X-Spam-Status: No, score=-104.299 tagged_above=-999 required=5 tests=[AWL=-2.300, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hBrbzH6dt1dV for <>; Tue, 4 Sep 2012 20:53:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 08C1D21F844F for <>; Tue, 4 Sep 2012 20:53:29 -0700 (PDT)
Received: from (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9A84922E1F4; Tue, 4 Sep 2012 23:53:16 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Wed, 5 Sep 2012 13:53:13 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Tero Kivinen <>
X-Mailer: Apple Mail (2.1486)
Cc:, " Group" <>,
Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-p6-cache-20
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Sep 2012 03:53:30 -0000

[ removing the IESG from the CC list]

Please see:


On 05/09/2012, at 12:11 PM, Mark Nottingham <> wrote:

> Hi Tero,
> CC:ing the HTTP mailing list.
> These all seem reasonable. I'll work to update the Security Considerations and publish in -21, will ping you once that happens.
> Thanks,
> On 04/09/2012, at 11:51 PM, Tero Kivinen <> wrote:
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG.  These comments were written primarily for the benefit of the 
>> security area directors.  Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>> This document is part 6 of the HTTP/1.1 and covers the caching in
>> http.
>> The security considerations section is quite short covering the case
>> that caches are attractive targets for attackers and that the fact
>> that cache can reveal information long after the information has been
>> removed from the network.
>> I think the security considerations section should list other attacks
>> too. Things that comes to my mind:
>> - Cache poisoning attacks, i.e. attacker who can control the
>> www-server for a moment could pre-load cache with stuff that will
>> stay there for long time (as long as the cache control attributes
>> say). This includes negative result (404) caching.
>> - Cache caching stuff that was not supposed to be cached, like
>> authentication credentials in forms of cookies (the RFC6265 - "HTTP
>> State Management Mechanism" says that the presense of the cookies
>> does not preclude HTTP caches from storing and reusing a response).
>> This can be problem unless all applications using cookies actually
>> make sure that they set all pages as non-cacheable.
>> - Cache might leak out information to other users of the cache who
>> fetched the page in the first time. This leaking can happen in
>> multiple ways (for example cookies, etc). Actually just timing can
>> tell that someone has already fetched the page to the cache, which
>> in some cases might be enough to leak information out.
>> There most likely are still other attacks which I did not list above.
>> Also as cookies are quite often used in various things like
>> authentication, session identifiers, language selection etc, I think
>> the section 3 should mention something about them, especially mention
>> that RFC6265 says they can be cached (this was suprise for me, I would
>> have expected cookies to be counted in the same category as
>> authorization fields i.e. fields thta disable caching).
>> I was also suprised not to find warning about the caching of the
>> cookies in the RFC6265, but perhaps we should add note here in
>> security considerations section saying that by default cookies are
>> cachable, so applications using them must make sure they are not
>> cached unless wanted so. It might not be able to reach its intended
>> users (the ones writing web applications), but at least it might
>> spread the information to some relevant parties.
>> In summary I think this document needs bit more work in security
>> considerations section.
>> -- 
> --
> Mark Nottingham

Mark Nottingham