W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 27 Jan 2009 15:46:51 +1300
Message-ID: <497E759B.9040501@qbik.com>
To: Adam Barth <w3c@adambarth.com>
CC: ietf-http-wg@w3.org



Adam Barth wrote:
> On Mon, Jan 26, 2009 at 5:34 PM, Adrien de Croy <adrien@qbik.com> wrote:
>   
>> Adam Barth wrote:
>>     
>>> It is impossible to secure all the users who visit your Web site.  You
>>> cannot secure users with IE5 or Firefox 1.0, for example.  Moreover,
>>> the header provides incremental value while it is being deployed.
>>>       
>> Do you have any more information on this you could refer me to?  I find it
>> hard to believe that there can be no security scheme which would be
>> browser-independent.
>>     
>
> These browsers are no longer maintained by their vendors.  Whenever
> you see a vulnerability patched for IE7 or Firefox 3, there is a good
> chance that vulnerability also exists in IE5 or Firefox 1.0.  In the
> context of this discussion, that means the "secret" tokens you rely
> upon for CSRF protection are not secret, and the attacker is free to
> mount a CSRF attack against your site.
>
>   

I was referring to a secure system that does not rely on secrecy, since 
we all know that secrecy is not security.

E.g. some sort of random token + hashing, where you pass a token to the 
browser, it does something to it (e.g. in script), and passes the result 
back.

one that can't be forged, and can't be replayed

Regards

Adrien

> Adam
>   

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 27 January 2009 02:44:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT