RE: new cookie draft from Yaron Goland on 1997-03-21 (ietf-http-wg@w3.org from January to March 1997)

From: Yaron Goland <yarong@microsoft.com>
Date: Thu, 20 Mar 1997 20:14:19 -0800
To: "'koen@win.tue.nl'" <koen@win.tue.nl>, dmk@research.bell-labs.com
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <11352BDEEB92CF119F3F00805F14F485026B7219@RED-44-MSG.dns.microsoft.com>

How does your requirement make the situation any more secure? If port 80
is controlled by good guys and port 81 is controlled by bad guys, but
both ports on the same domain, won't the cookie still be transmitted to
port 81, regardless of your requirement?

I would suggest changing the domain specification to allow for the
inclusion of port number. So a domain could look like ".foo.bar.com:80".
Now if a site is concerned about someone taking over a port, they can
specify that only the identified port may be used. If they control the
entire server and have no worries, they may then leave the port number
out.

		Yaron

> -----Original Message-----
> From:	koen@win.tue.nl [SMTP:koen@win.tue.nl]
> Sent:	Thursday, March 20, 1997 9:49 AM
> To:	dmk@research.bell-labs.com
> Cc:	http-wg@cuckoo.hpl.hp.com
> Subject:	Re: new cookie draft
> 
> Dave Kristol:
> >
> >Well, sports fans, there's a new cookie draft.  Regrettably, the name
> >is draft-ietf-http-state-man-mec-00.  (I had wanted it to be
> >draft-ietf-http-state-mgmt-06.) I have withdrawn
> >draft-ietf-http-state-mgmt-errata-00, which the new draft subsumes.
> >
> >For the record, I know of two planned changes to the draft already:
> >
> >1) I'll drop the "same port" requirement.  (Cookies can return to any
> >port on any host to which they could otherwise legitimately be sent.)
> 
> Dropping this requirement opens a significant security hole, because
> not all
> servers on the same host need to be run by the same people.  Others
> have
> called this a `marginal case', but I do not want to ignore it: really
> tiny
> sites need security too.
> 
> The `same port' requirement that is in the spec now is a little too
> restrictive though.  I'd be happy if the current
> 
> Domain Selection
>      The origin server's fully-qualified host name must domain-match
> the
>      Domain attribute of the cookie.  The origin server's port number
>      must equal the port number of the server that sent the cookie.
> 
> gets rewritten to
> 
> Domain Selection 
>      The origin server's fully-qualified host name must domain-match
> the
>      Domain attribute of the cookie.  If the cookie does not
> explicitely
>      specify a Domain attribute, the origin server's port number must
>      equal the port number of the server that sent the cookie.
> 
> , but just dropping the port requirement won't do for me.
> 
> >Dave Kristol
> 
> Koen.

Received on Thursday, 20 March 1997 20:17:24 UTC