Re: The HTTP Origin Header (draft-abarth-origin)

Adam Barth wrote:
> On Mon, Jan 26, 2009 at 5:34 PM, Adrien de Croy <> wrote:
>> Adam Barth wrote:
>>> It is impossible to secure all the users who visit your Web site.  You
>>> cannot secure users with IE5 or Firefox 1.0, for example.  Moreover,
>>> the header provides incremental value while it is being deployed.
>> Do you have any more information on this you could refer me to?  I find it
>> hard to believe that there can be no security scheme which would be
>> browser-independent.
> These browsers are no longer maintained by their vendors.  Whenever
> you see a vulnerability patched for IE7 or Firefox 3, there is a good
> chance that vulnerability also exists in IE5 or Firefox 1.0.  In the
> context of this discussion, that means the "secret" tokens you rely
> upon for CSRF protection are not secret, and the attacker is free to
> mount a CSRF attack against your site.

I was referring to a secure system that does not rely on secrecy, since 
we all know that secrecy is not security.

E.g. some sort of random token + hashing, where you pass a token to the 
browser, it does something to it (e.g. in script), and passes the result 

one that can't be forged, and can't be replayed



> Adam

Adrien de Croy - WinGate Proxy Server -

Received on Tuesday, 27 January 2009 02:44:45 UTC