W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Ben Adida <ben@adida.net>
Date: Tue, 07 Jun 2011 16:00:06 -0700
Message-ID: <4DEEAD76.2090800@adida.net>
To: Nico Williams <nico@cryptonector.com>
CC: "William J. Mills" <wmills@yahoo-inc.com>, "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On 6/7/11 3:57 PM, Nico Williams wrote:
> Not if the MAC doesn't protect enough of the request _and_ response to
> prevent active attacks.  Unless you don't care about those attacks
> (which some of you have indicated), in which case why bother with the
> MAC at all?

A passive attacker can sniff your cookie and thus hijack your session. 
All you need to accomplish that attack is connect to any open wifi 
network and use Firesheep. It's a good bit harder to be an active 
attacker, even on an open wireless network.

So there is a difference between passive and active network attackers in 
terms of feasibility, and MAC cookies limit the scope of what passive 
attacker can do.

-Ben
Received on Tuesday, 7 June 2011 23:00:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT