W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

considerations for draft-west-leave-secure-cookies-alone-04

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Dec 2015 20:10:52 -0800
Message-ID: <CADBiRd0pgpMt=XYv-icOXMw1j4Wuc7yxad1S7hH_Ba82GjzmSA@mail.gmail.com>
To: httpbis <ietf-http-wg@w3.org>
As written, draft-west-leave-secure-cookies-alone-04 gives the impression
that it solves the secure cookie integrity problem.  However, there's still
a risk that a network attacker can set a non-secure cookie before the
honest server gets a chance to set a secure cookie.  Because the secure
cookie doesn't yet exist in the cookie store, the user agent with accept
the non-secure cookie and the honest server might still be fooled.

IMHO, we should explain this risk in the security considerations section.
Here's some example text that you should feel free to edit/use/ignore:

Although user agents prevent insecure URIs from overwriting cookies with
the Secure attribute, a network attacker might still be able to inject
cookies into the Cookie header sent to https://example.com/ if the attacker
is able to impersonate a response from http://example.com/ before the user
agent receives a genuine response from https://example.com/.  In that
situation, the user agent will accept the attacker's cookie because the
genuine cookie does not yet exist in the user agent's cookie store. The
HTTPS server at example.com will be unable to distinguish these cookies
from cookies that it set itself in an HTTPS response.  An active network
attacker might be able to leverage this ability to mount an attack against
example.com even if example.com uses HTTPS exclusively.

Received on Wednesday, 23 December 2015 04:11:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC