W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

From: David W. Morris <dwm@shell.portal.com>
Date: Fri, 14 Jun 1996 15:31:51 -0700 (PDT)
To: Dave Kristol <dmk@allegra.att.com>
Cc: marc@ckm.ucsf.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.93.960614152537.12745D-100000@jobe.shell.portal.com>


On Fri, 14 Jun 1996, Dave Kristol wrote:

> "Marc Salomon" <marc@ckm.ucsf.edu> wrote:
>   > Would this still be the case if the domain issuing the cookie were required to
>   > be included amongst the multiple domains in the cookie?  If the cookie were
> No.  An adversary could simply add itself to the list of Domains it
> intercepts.  A subsequent visit to the adversary's site would disclose
> the Cookie.

I must be missing something ... if the MITM adds to the domains associated
with a cookie, haven't they ALREADY intercepted the cookies so what does
it matter if the cookie is provided on a future link to the MITM's domain?

I think the exposure would be that an adversary site would generate a 
cookie which applied to itself and to an under attack domain. Later the
bogus cookie would be sent to the attacked domain possibly causing
invalid results. 

Some form of expanded domain partnerships might work (in the future) if
both partners expressed the identity relationship to the client. Even
then the MITM might be able to fake things.

Dave Morris
Received on Friday, 14 June 1996 15:35:52 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:03 EDT