W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 18:09:34 -0500
Message-ID: <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com>
To: Ben Adida <ben@adida.net>
Cc: "William J. Mills" <wmills@yahoo-inc.com>, "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On Tue, Jun 7, 2011 at 6:00 PM, Ben Adida <ben@adida.net> wrote:
> On 6/7/11 3:57 PM, Nico Williams wrote:
>>
>> Not if the MAC doesn't protect enough of the request _and_ response to
>> prevent active attacks.  Unless you don't care about those attacks
>> (which some of you have indicated), in which case why bother with the
>> MAC at all?
>
> A passive attacker can sniff your cookie and thus hijack your session. All
> you need to accomplish that attack is connect to any open wifi network and
> use Firesheep. It's a good bit harder to be an active attacker, even on an
> open wireless network.

Yes, but only for resources that you've already stated you don't care about.

If you cared about those resources you'd protect more of the request
_and_ response, or you'd use TLS.  But you don't want to protect the
response and you don't want to use TLS and you don't even want to
protect the request body.  What you're proposing adds a very marginal
degree of security that will be trivial to defeat on open wifi
(particularly once the toolset for doing it gets published).

Are we serious about security?  Or it this just for show?

Or am I missing something?

Nico
--
Received on Tuesday, 7 June 2011 23:09:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT