Re: I-D ACTION:draft-ietf-httpbis-security-properties-04.txt from Adam Barth on 2010-03-10 (ietf-http-wg@w3.org from January to March 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 10 Mar 2010 09:18:19 -0800
To: Internet-Drafts@ietf.org
Cc: i-d-announce@ietf.org, ietf-http-wg@w3.org
Message-ID: <5c4444771003100918s1c1d78b5te99c829ff6482fa7@mail.gmail.com>

Comments on Section 2.1:

"The protocol in RFC 2109 is relatively widely implemented"
=> This isn't really true.  No one actually implements the protocol in
RFC 2109.  I'd encourage the authors of this document to refer to
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie>, which is
widely implemented.

"Forms and cookies have many properties that make them an excellent
solution for some implementers."
=> The word "excellent" here is a bit of an overstatement.  Forms and
cookies are widely used but I doubt many people would describe them as
an excellent solution.

"The cookies that result from a successful form submission make it
unnecessary to validate credentials with each HTTP request;"
=> This statement is misleading.  Servers still need to validate each
HTTP request to avoid cross-site request forgery attacks.

"measures to prevent such attacks will never be as stringent as
necessary for authentication credentials because cookies are used for
many purposes"
=> It seems presumptuous to make claims over what will "never" happen.
 It's entirely possible that we'll think of something clever in the
future that makes this statement false.

IMHO, <http://tools.ietf.org/html/draft-ietf-httpstate-cookie> gives a
more accurate picture of the security issues with cookies in its
security considerations section (but I might be biased since I edit
that document).  I'd be happy to contribute specific text for this
section if that would be helpful.

Adam

On Wed, Mar 10, 2010 at 8:45 AM,  <Internet-Drafts@ietf.org> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF.
>
>        Title           : Security Requirements for HTTP
>        Author(s)       : J. Hodges, B. Leiba
>        Filename        : draft-ietf-httpbis-security-properties-04.txt
>        Pages           : 13
>        Date            : 2010-3-8
>
> Recent IESG practice dictates that IETF protocols must specify
>   mandatory-to-implement (MTI) security mechanisms, so that all
>   conformant implementations share a common baseline.  This document
>   examines all widely deployed HTTP security technologies, and analyzes
>   the trade-offs of each.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>

Received on Wednesday, 10 March 2010 17:19:27 UTC