Re: [websec] Cookies: What is to be done?
Yoav Nir <ynir@checkpoint.com> Thu, 18 July 2013 14:04 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B1411E814F for <websec@ietfa.amsl.com>; Thu, 18 Jul 2013 07:04:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.553
X-Spam-Level:
X-Spam-Status: No, score=-10.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r222TrTAEj3R for <websec@ietfa.amsl.com>; Thu, 18 Jul 2013 07:04:38 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 4058311E814D for <websec@ietf.org>; Thu, 18 Jul 2013 07:04:37 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6IE4ZTC013035; Thu, 18 Jul 2013 17:04:36 +0300
X-CheckPoint: {51E7F5F3-19-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Thu, 18 Jul 2013 17:04:35 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Trevor Perrin <trevp@trevp.net>
Thread-Topic: [websec] Cookies: What is to be done?
Thread-Index: AQHOg5S+m4hZWMDMaUuAldHP9mK/eplqRgEA
Date: Thu, 18 Jul 2013 14:04:34 +0000
Message-ID: <68B579B6-A35B-4CF2-AE12-32F2A2DA745B@checkpoint.com>
References: <CAGZ8ZG3Gso9AfLx1biOp61Mj+89TbVKZs3kJ70OALUGdcytWRw@mail.gmail.com>
In-Reply-To: <CAGZ8ZG3Gso9AfLx1biOp61Mj+89TbVKZs3kJ70OALUGdcytWRw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11191a3189ee896d332233b3238149221dcd78e93d
Content-Type: text/plain; charset="us-ascii"
Content-ID: <71593152E1D17046A15C3D4336600DA3@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Cookies: What is to be done?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 14:04:43 -0000
Hi Trevor Excellent summary. I would add one more problem. 3) Cookie availability to MitB All requests from the UA to the same server contain the same cookie, and so are deemed to belong to the same session. So if I'm connected to webmail.example.com in one browser tab, and also looking attacks.acme.com in another tab, some script or even some plain HTML can cause arbitrary requests to be sent to webmail.example.com, and all these requests are "blessed" by my cookie. I think if cookiev2 was (at least by default) identified by the triplet (source-origin, target-origin, cookie-name) we would get many less opportunities for cross-site attacks. On Jul 18, 2013, at 11:56 AM, Trevor Perrin <trevp@trevp.net> wrote: > Hi, > > I tried to send this earlier, but I don't think it went through. > > Here's an attempt to summarize the main cookie problems and proposals. > > I'd be interested if anyone sees thing differently. > > > Problems > ========= > > 1) Bearer token problem: > Cookies are transmitted frequently, and if a transmitted cookie is > somehow stolen, it could be used by an attacker. > > 2a) Cookie scoping (confidentiality): > Cookies set on example.com will typically be sent to all subdomains of > example.com. So the security of example.com can be undermined by > less-secure subdomains. Even HSTS/HPKP/TACK/DANE for example.com > could be undermined if a hacker can take over test.example.com, or a > MITM can invent badguy.example.com, since the browser would hand these > attackers the example.com session cookie. There are partial > mitigations for this, but nothing that could work reliably across all > sites and browsers: > > - Omitting the cookie's "Domain" attribute will cause cookies to be > sent only to "example.com" and not its subdomains (RFC 6265), on all > browsers except IE. IE seems unwilling to change this, presumably > due to legacy web apps. > > - Setting a cookie's "Secure" attribute will require the browser to > only transmit it over SSL/TLS. However, the subdomain may not have the > same HSTS/HPKP/TACK/DANE/etc requirements as its parent. HSTS and > HPKP provide "includeSubdomains" to address this (RFC 6797, 14.4). > However, it's common for example.com to have subdomains that can't > comply with HSTS or HPKP (for example: mobile.example.com doesn't use > SSL; images.example.com is hosted on a CDN; test.example.com has a > self-signed cert, etc). In these cases, "includeSubdomains" can't be > used. > > 2b) Cookie scoping (integrity): > Cookies set on webmail.example.com can be overwritten or deleted by > its subdomains, regardless of the "Secure" or "Domain" attributes. > Also, example.com and its subdomains could set an identically-named > cookie for Domain=example.com, which will get sent to > webmail.example.com. "Forcing" a cookie on the victim could allow an > attacker to log a victim into the attacker's account. The victim > might then enter credit card numbers or other data, similar to the > "login CSRF" attacks in [1]. > > This is harder to mitigate than 2a, as "Domain" and "Secure" > attributes have no effect, and the scope of hostnames that can affect > a victim hostname is not just the victim's subdomains, but everything > sharing the same TLD+1 domain (*.example.com, in this case). > > > Proposals > ========== > > 1) Origin Cookies: > http://tools.ietf.org/html/draft-abarth-cake-01 > http://w2spconf.com/2011/papers/session-integrity.pdf > > This adds an "Origin" attribute to cookies. Such cookies are > backwards-compatible with old browsers. New browsers would only > return them to the hostname that set them, via an "Origin-Cookie" > header, thus fixing 2a. To fix 2b, the browser might have to always > send something like "Origin-Cookie-Support: true" as an HTTP header, > so that an Origin Cookie supporting server would know to disregard > old-style cookies that might have been forced on the browser. > > This doesn't fix the "bearer token" aspect of cookies, but it seems a > simple, clean fix to the scoping problems. What happened to this? > > > 2) ChannelID > http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 > > The browser adds an ECDSA public key and signature to every TLS > handshake. The server can implement "Channel-bound cookies" which are > associated with the public key. Such cookies can't be transferred > from one browser to another. > > This solves the "bearer token" aspect of cookies. It also solves a > big part of the scoping problem, since an attacker can't steal usable > cookies, or force her cookies on someone else. However, since the > same ChannelID public key is used for an entire TLD+1, an attacker who > could hack subdomain hosts or perform MITM could still: > - Delete cookies > - Steal a cookie from a user at A.example.com, and force it on the > same user at B.example.com > - Steal a cookie via a subdomain and then force it later on the same > user to "rollback" to an earlier state > > This also modifies the TLS stack, and adds a client-side signature > computation to every TLS session. > > > 3) Session Continuation Protocol > http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00 > > Instead of cookies, the server can set a symmetric "session key" into > the browser, and specify a range of hostnames to use it for. The > browser will send a nonce, and a MAC over the nonce, for every > connection to those hostnames. > > Since the nonce and MAC, if stolen, would suffice as a bearer token, > this doesn't solve 1. Since the Host-Scope of the session can be > specified arbitrarily, this solves 2a but not 2b. > > > 4) HTTP Session Management > http://tools.ietf.org/html/draft-hallambaker-httpsession-01 > > This is similar to (3), except the MAC can optionally be calculated > over "portions of the HTTP message", and the scoping rules are defined > to be identical to cookies as defined somewhere (not specified). This > might mitigate 1 somewhat, since a MAC, if stolen, could only be used > to replay requests similar to the stolen one. Cookie scoping problems > don't seem to be addressed. > > > Trevor > > > [1] http://seclab.stanford.edu/websec/csrf/csrf.pdf > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] Cookies: What is to be done? Trevor Perrin
- Re: [websec] Cookies: What is to be done? Hannes Tschofenig
- Re: [websec] Cookies: What is to be done? Yoav Nir
- Re: [websec] Cookies: What is to be done? Trevor Perrin
- Re: [websec] Cookies: What is to be done? Yoav Nir
- Re: [websec] Cookies: What is to be done? Tobias Gondrom
- Re: [websec] Cookies: What is to be done? Phillip Hallam-Baker
- Re: [websec] Cookies: What is to be done? Yoav Nir
- Re: [websec] Cookies: What is to be done? Yoav Nir
- Re: [websec] Cookies: What is to be done? Trevor Perrin