Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

On Fri, 14 Jun 1996, Dave Kristol wrote:

> "Marc Salomon" <> wrote:
>   > Would this still be the case if the domain issuing the cookie were required to
>   > be included amongst the multiple domains in the cookie?  If the cookie were
> No.  An adversary could simply add itself to the list of Domains it
> intercepts.  A subsequent visit to the adversary's site would disclose
> the Cookie.

I must be missing something ... if the MITM adds to the domains associated
with a cookie, haven't they ALREADY intercepted the cookies so what does
it matter if the cookie is provided on a future link to the MITM's domain?

I think the exposure would be that an adversary site would generate a 
cookie which applied to itself and to an under attack domain. Later the
bogus cookie would be sent to the attacked domain possibly causing
invalid results. 

Some form of expanded domain partnerships might work (in the future) if
both partners expressed the identity relationship to the client. Even
then the MITM might be able to fake things.

Dave Morris

Received on Friday, 14 June 1996 15:35:52 UTC