Re: [TLS] Addressing cookie theft (think BEAST) with channel bound cookies using TLS session IDs
Marsh Ray <marsh@extendedsubset.com> Wed, 28 September 2011 21:17 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664CA21F8E11 for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 14:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id My0biCZKjHHS for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 14:17:54 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 68D5421F8E0C for <tls@ietf.org>; Wed, 28 Sep 2011 14:17:54 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1R91YY-000NkF-Jy; Wed, 28 Sep 2011 21:20:42 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C15446067; Wed, 28 Sep 2011 21:20:39 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19WGKYwwHbW9kBCTiAN2RaOqnKH0tx+7aA=
Message-ID: <4E838FA6.6090203@extendedsubset.com>
Date: Wed, 28 Sep 2011 16:20:38 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CAK3OfOjKwn16uKN44AjDDYoFxJwdghK=21zEKr6zSrp4gzATFQ@mail.gmail.com> <E4076194-2A43-4282-B282-37B14CBCB488@checkpoint.com>
In-Reply-To: <E4076194-2A43-4282-B282-37B14CBCB488@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Addressing cookie theft (think BEAST) with channel bound cookies using TLS session IDs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 21:17:55 -0000
On 09/28/2011 04:01 PM, Yoav Nir wrote: > > If the server-side HTTP stack has that, why would such an application > even need cookies? Cookies are generally keys to a saved server-side > state. If you have access to the TLS session ID, you might as well > use that as the key to the saved server-side state. It seems that most web apps are developed using some type of framework. These frameworks are often optimized for the plain-HTTP case. Often HTTPS, and the certs, etc. aren't brought in until somewhat late in the development process. Apps get developed using cookies, then (occasionally) deployed with TLS as an encrypted tunnel for security. So we end up with all these insufficiently-bound channels needing channel binding. When apps are developed with using TLS from the beginning, the result ends up looking much more integrated. But we also need to look for solutions that benefit all the other apps out there. - Marsh
- [TLS] Addressing cookie theft (think BEAST) with … Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Yoav Nir
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Michael D'Errico
- Re: [TLS] Addressing cookie theft (think BEAST) w… Marsh Ray
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Tom Ritter
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Martin Rex
- Re: [TLS] Addressing cookie theft (think BEAST) w… Steve Dispensa
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nikos Mavrogiannopoulos
- Re: [TLS] Addressing cookie theft (think BEAST) w… Florian Weimer
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams