RUPTURE augers for adoption of draft-west-first-party-cookies

https://ruptureit.com/

Practical New Developments on BREACH
Dimitris Karakostas and Dionysis Zindros

<https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202
016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf>

[...]

7.2 First-party cookies

The feasibility of the attack lies on the fact that the attacker can
utilize the target service as a compression oracle and retrieve encrypted
compressed secrets along with chosen plaintext data.

This is possible due to the fact that authentication cookies are included
in crossorigin requests. However, this inclusion is completely unnecessary
for most web applications. The ability to mark cookies as first-party only
will eliminate the existence of the oracle.

The first-party cookies proposal [14] describes such a mechanism, with the
purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be
used to defend against compression side-channel attacks and eliminates the
possibility completely.

This proposal is still in draft stage and has not been implemented in any
browser.
We urge browser vendors to adopt it immediately and web service authors to
opt-in.


[...]

https://tools.ietf.org/html/draft-west-first-party-cookies

Received on Thursday, 28 April 2016 22:05:32 UTC