Re: [websec] [Technical Errata Reported] RFC6797 (4075)

"Eric Lawrence" <> Fri, 08 August 2014 21:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 217CC1A00BE for <>; Fri, 8 Aug 2014 14:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.153
X-Spam-Level: *
X-Spam-Status: No, score=1.153 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, TVD_FINGER_02=1.215] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FpiYpVr8ptzw for <>; Fri, 8 Aug 2014 14:52:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7675F1A00B0 for <>; Fri, 8 Aug 2014 14:52:12 -0700 (PDT)
Received: from COL131-DS10 ([]) by with Microsoft SMTPSVC(7.5.7601.22701); Fri, 8 Aug 2014 14:52:11 -0700
X-TMN: [AYGQ5pxSUIy9aIhw722ONw+9alqsacej]
X-Originating-Email: []
Message-ID: <COL131-DS10F844603100882CC36852F0EE0@phx.gbl>
From: Eric Lawrence <>
To: Yoav Nir <>
References: <> <> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <> <>
In-Reply-To: <>
Date: Fri, 08 Aug 2014 16:52:10 -0500
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="Windows-1252"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 08 Aug 2014 21:52:11.0869 (UTC) FILETIME=[0243D0D0:01CFB353]
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:11 -0700
Cc: Barry Leiba <>, Jeff Hodges <>, Pete Resnick <>,, Collin Jackson <>, RFC Errata System <>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Aug 2014 17:50:01 -0000

Hi, Yoav--

Ivan Ristic's new "Bulletproof SSL and TLS" covers "Cookie Manipulation 
Attacks" quite nicely.  As he explains well, a serious limitation with HTTP 
cookies is that they do not carry their metadata when resent to the server, 
so a secure cookie set by "" is, upon receipt by the 
server in a request's Cookie header, indistinguishable from a insecure 
cookie of the same name set by "". The cookie does not convey 
the origin from which it was set.

RFC6797 Section 14 notes that HSTS's includeSubdomains feature blocks a 
similar problem (namely, an insecure cookie set by could be set against its parent However, because includeSubdomains only applies to 
sub-domains, rather than parent-domains, this protection is insufficient to 
address cookie injection attacks against a parent domain.

It's hard to argue that this limitation is a flaw in HSTS (because the 
alternative would be to permit a subdomain to define a HSTS policy for its 
parent). However, because it is a threat against a site that is otherwise 
protected via HSTS, I would suggest that there should be implementation 
guidance of the form: "Any page secured by HSTS that is at a 
third-level-effective-domain (www.privatedomain.etld) or lower in the DNS 
hierarchy should include a resource reference to the parent privatedomain 
(e.g. https://privatedomain.etld/1x1.gif) such that the dereferencing of 
that resource will provide the UA the opportunity to store a HSTS policy 
that will protect the entire privatedomain tree."


-----Original Message----- 
From: Yoav Nir
Sent: Friday, August 8, 2014 4:16 PM
To: Eric Lawrence ; Barry Leiba
Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete 
Resnick ; Tobias Gondrom ;
Subject: Re: [Technical Errata Reported] RFC6797 (4075)

On Aug 8, 2014, at 10:54 PM, Barry Leiba <> wrote:

>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand
>> the distinction here. To me, it seems that the RFC's threat model is
>> incomplete.
> Perhaps it is, but the distinction is about whether an error was made
> in writing the document, or whether there's a flaw in the protocol, an
> issue that wasn't considered in the discussion, or the like.
> The sentence you're addressing is entirely consistent with the rest of
> Section 14.4, and doesn't look like "errata" to me.  It's quite
> possible that the working group blew it and should have thought about
> things differently.  It's possible that someone should write an update
> to RFC 6797 to correct it, and that your input would be useful.
> But you're asking the websec working group to consider an update, not
> making an errata report, as I see it.
> Does anyone from websec have a comment on this?

Hi Barry.

Reading this, it doesn’t look like an error in the document, but as an 
attack that the group may not have considered, which HSTS may not protect. 
If this is indeed valid, and if this had been caught in IETF last call or 
IESG review, this would probably have been sent back to the working group to 

Eric: I’m trying to understand the issue, so please see the below and tell 
me if I understood it correctly.

Suppose we set up and a sub-domain of 
and set HSTS on that domain (but not on, which is available 
in HTTP)
I browse Because I’m not using HTTPS, an attacker 
intercepts the connection and injects a cookie for all subdomain (Path=/;
My next connection to will send this cookie.

Did I get this correctly?

So my first reaction was “No way. You can’t set a Secure cookie over an HTTP 
connection, can you?  Just like you can’t set HSTS over an HTTP connection.” 
So I went to find where in RFC 6265 it says that. So of course it doesn’t. 
Googling it shows that I’m not the first to wonder about that. In anyone has 
some insight about this, I’d be glad to know. Is it just that cookies have 
always worked like this, so we’re not changing it now?

Unless I’m missing something, this could be a real problem, and there are 
several ways to mitigate it. Any of them requires a new document that either 
replaces 6797 or updates it ( I can see this solved with a 2-page + 
boilerplate document). But I don’t think an errata report is the way to go 
on this.