Fwd: Secdir review of draft-ietf-httpbis-p6-cache-20

FYI.

Begin forwarded message:

> Resent-From: kivinen@iki.fi
> From: Tero Kivinen <kivinen@iki.fi>
> Subject: Secdir review of draft-ietf-httpbis-p6-cache-20
> Date: 4 September 2012 11:51:01 PM AEST
> Resent-To: fielding@gbiv.com, julian.reschke@greenbytes.de, mnot@mnot.net, mnot@pobox.com,, stpeter@stpeter.im, ylafon@w3.org
> To: iesg@ietf.org, secdir@ietf.org, draft-ietf-httpbis-p6-cache.all@tools.ietf.org
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
> This document is part 6 of the HTTP/1.1 and covers the caching in
> http.
> 
> The security considerations section is quite short covering the case
> that caches are attractive targets for attackers and that the fact
> that cache can reveal information long after the information has been
> removed from the network.
> 
> I think the security considerations section should list other attacks
> too. Things that comes to my mind:
> 
> - Cache poisoning attacks, i.e. attacker who can control the
>  www-server for a moment could pre-load cache with stuff that will
>  stay there for long time (as long as the cache control attributes
>  say). This includes negative result (404) caching.
> 
> - Cache caching stuff that was not supposed to be cached, like
>  authentication credentials in forms of cookies (the RFC6265 - "HTTP
>  State Management Mechanism" says that the presense of the cookies
>  does not preclude HTTP caches from storing and reusing a response).
>  This can be problem unless all applications using cookies actually
>  make sure that they set all pages as non-cacheable.
> 
> - Cache might leak out information to other users of the cache who
>  fetched the page in the first time. This leaking can happen in
>  multiple ways (for example cookies, etc). Actually just timing can
>  tell that someone has already fetched the page to the cache, which
>  in some cases might be enough to leak information out.
> 
> There most likely are still other attacks which I did not list above.
> 
> Also as cookies are quite often used in various things like
> authentication, session identifiers, language selection etc, I think
> the section 3 should mention something about them, especially mention
> that RFC6265 says they can be cached (this was suprise for me, I would
> have expected cookies to be counted in the same category as
> authorization fields i.e. fields thta disable caching).
> 
> I was also suprised not to find warning about the caching of the
> cookies in the RFC6265, but perhaps we should add note here in
> security considerations section saying that by default cookies are
> cachable, so applications using them must make sure they are not
> cached unless wanted so. It might not be able to reach its intended
> users (the ones writing web applications), but at least it might
> spread the information to some relevant parties.
> 
> In summary I think this document needs bit more work in security
> considerations section.
> -- 
> kivinen@iki.fi

--
Mark Nottingham   http://www.mnot.net/

Received on Wednesday, 5 September 2012 01:57:02 UTC