Re: I-D Action:draft-pettersen-cookie-v2-03.txt from Amit Klein on 2008-11-11 (ietf-http-wg@w3.org from October to December 2008)

From: Amit Klein <aksecurity@gmail.com>
Date: Tue, 11 Nov 2008 10:04:20 +0200
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <26162adb0811110004h422f0d02t1024fe1c2c6c72a2@mail.gmail.com>

Hi again,

With respect to section 8.1 (security considerations - protocol
design), particularly "a server can only share cookies with resource
in subfolders of the default path derived from the request-URI", I
would like to draw your attention to the many ways "path security" can
be bypassed:

http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

As such, I would recommend not to state that path separation of
cookies has (above marginal) security value.

Thanks,
-Amit


On Tue, Nov 4, 2008 at 12:47 AM, Yngve N. Pettersen (Developer Opera
Software ASA) <yngve@opera.com> wrote:
>
>
> ------- Forwarded message -------
> From: Internet-Drafts@ietf.org
> To: i-d-announce@ietf.org
> Subject: I-D Action:draft-pettersen-cookie-v2-03.txt
> Date: Mon, 03 Nov 2008 23:15:01 +0100
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
>        Title           : HTTP State Management Mechanism v2
>        Author(s)       : Y. Pettersen
>        Filename        : draft-pettersen-cookie-v2-03.txt
>        Pages           : 31
>        Date            : 2008-11-03
>
> This document specifies a way to create a stateful session with
> Hypertext Transfer Protocol (HTTP) requests and responses.  It
> describes three HTTP headers, Cookie, Cookie2, and Set-Cookie2, which
> carry state information between participating origin servers and user
> agents.  The method described here differs from both Netscape's
> Cookie proposal [Netscape], and [RFC2965], but it can, provided some
> requirements are met, interoperate with HTTP/1.1 user agents that use
> Netscape's method.  (See the HISTORICAL section.)
>
> This document defines new rules for how cookies can be shared between
> servers within a domain.  These new rules are intended to address
> security and privacy concerns that are difficult to counter for
> clients implementing Netscape's proposed rules or the rules specified
> by RFC 2965.
>
> This document reflects implementation experience with RFC 2965 and
> obsoletes it.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>
> --
> Sincerely,
> Yngve N. Pettersen
>
> ********************************************************************
> Senior Developer                     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************

Received on Tuesday, 11 November 2008 08:04:58 UTC