- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 22 Dec 2015 20:10:52 -0800
- To: httpbis <ietf-http-wg@w3.org>
- Message-ID: <CADBiRd0pgpMt=XYv-icOXMw1j4Wuc7yxad1S7hH_Ba82GjzmSA@mail.gmail.com>
As written, draft-west-leave-secure-cookies-alone-04 gives the impression that it solves the secure cookie integrity problem. However, there's still a risk that a network attacker can set a non-secure cookie before the honest server gets a chance to set a secure cookie. Because the secure cookie doesn't yet exist in the cookie store, the user agent with accept the non-secure cookie and the honest server might still be fooled. IMHO, we should explain this risk in the security considerations section. Here's some example text that you should feel free to edit/use/ignore: ---8<--- Although user agents prevent insecure URIs from overwriting cookies with the Secure attribute, a network attacker might still be able to inject cookies into the Cookie header sent to https://example.com/ if the attacker is able to impersonate a response from http://example.com/ before the user agent receives a genuine response from https://example.com/. In that situation, the user agent will accept the attacker's cookie because the genuine cookie does not yet exist in the user agent's cookie store. The HTTPS server at example.com will be unable to distinguish these cookies from cookies that it set itself in an HTTPS response. An active network attacker might be able to leverage this ability to mount an attack against example.com even if example.com uses HTTPS exclusively. --->8---- Adam
Received on Wednesday, 23 December 2015 04:11:40 UTC