Re: The HTTP Origin Header (draft-abarth-origin)

On Jan 22, 2009, at 7:51 PM, Adam Barth wrote:
> On Thu, Jan 22, 2009 at 6:29 PM, Roy T. Fielding  
> <> wrote:
>> The feature of "defend themselves against CSRF by identifying
>> the referral page" is satisfied by "don't allow requests that
>> lack an appropriate Referer".  Your estimate that it would also
>> block some 3% of false negatives does not lessen its defense.
>> The 3% would get an error message in response.
> These 3% of potential users would be unable to use the Web site.  In
> talking with folks who run large Web sites, I've been told that
> excluding 3% of your potential customers is not acceptable.

No, those 3% of users would have to use TLS/SSL, which the site could
redirect to automatically (and should have been using anyway for a
state-changing authenticated request.  As your study shows, https
exchanges are not modified by those proxies.

Obviously, you would have had a different response if you had asked
them a more accurate question, like "would you prefer a 97% success
rate today or a 0% success rate today."

Referer was introduced in 1993, deployed by spiders in 1994, grudgingly
accepted by browsers in 1995, and only reached the 90% range sometime
around the 1999-2000 timeframe.  The notion that we can introduce Origin
now and reach anywhere near 97% correct deployment is absurd.

Meanwhile, those same sites will implement this CSRF protection
using Referer, if they need it, since 97% protection is obviously better
than no success if they want to protect against CSRF. That percentage
can already be improved to 99% if non-Referer state-changing requests  
(re)directed to an https site.  So, what you are actually asking is
that we standardize an entirely new header field in the vague hope
that it will eventually be deployed correctly on better than 97% of
browsers in the wild so that some 2.x% of those browsers that happen
to still be behind old non-CSRF-protecting proxies at that future
date might be able to use a separate codepath on the server that
duplicates all of the security checks for Referer instead of just
using an https connection, assuming that none of the browser
developers introduce a bug that makes Origin less secure than Referer.

Sorry, the answer from this server developer is NO.  Spend the
effort on improving the definition of Referer instead so that it
will be blocked by fewer proxies, and then help educate those
proxy vendors as to why they shouldn't make their own users more
vulnerable to CSRF attacks.  I suspect that you will have little
problem convincing sites to upgrade their old proxy if you can
show them a CSRF attack on, Google domains, or AWS
that is enabled by the proxy vendor's bad code or config.

>> Your claims are based on the assumption that those very same
>> 3% proxies will forward the Origin header unchanged.
> This is not an assumption.  In April 2008, measured how often various
> headers were suppressed for 283,945 browsers who viewed an
> advertisement we placed with a minor ad network.  We observed that the
> Referer header was suppressed for approximately 3% of requests whereas
> the Origin header was only suppressed 0.029-0.047% of requests (95%
> confidence).  For more detailed results and a description of the
> methedology, please see Section 4.2.1 of

I read the paper.  I am not sure if automated ad serving technology
would change the sample size to be self-selecting (and therefore not
representative of deployed browsers), but I doubt that it would change
the analysis much.  Regardless, Origin is not deployed and there is
no reason to believe that it would ever reach the 97% deployment
threshold.  Heck, HTTP parsing isn't implemented correctly in far
more than 3% of the browsers in the wild.

>> Your assumption is wrong.
> What evidence do you have to back up this claim?

16 years of Web protocol implementations, 14 years being the editor
of the HTTP specs, and 13 years in which my contact information has
been supplied for people to send "why doesn't HTTP work?" messages
for both standards and Apache httpd.  For example, there was a period
when some MS folks thought that HTTP/1.1 chunked encoding didn't work,
until I pointed out that all of their tests were being made though
their own corporate firewall (eating characters).  I get that stuff
all the time.


Received on Saturday, 24 January 2009 01:17:56 UTC