W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

draft-west-leave-secure-cookies-alone

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 21 Oct 2015 15:05:31 -0700
Message-ID: <CABkgnnXnC+TxPipsvLaGmDtD31ACyUcwYvy2RfmO9k08tw9Y_w@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, Mike West <mkwst@google.com>
https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-01

I realize that we haven't discussed this at all, but it seems like a
no-brainer to me.  That is, if someone (Mike?) has a satisfactory
answer to this question: do you know what level of breakage is this
going to cause?  I have heard that this misfeature is relied upon by
some non-trivial number of sites.

For me, as long I can be satisfied that the breakage is extremely low,
or that it will soon be, then that's sufficient.  However, a
non-trivial amount of bustage will likely prevent us from deploying a
change like this.

The authors of the paper recommended that non-secure cookies be simply
given less precedence, so that they could not override cookies set by
their secure brethren.  That seems far less likely to cause
compatibility issues.  But I do prefer the change in the draft, if it
can be made to stick.

Either way, I'd support working on neutering this class of attacks.
Received on Wednesday, 21 October 2015 22:06:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC