- From: Mike West <mkwst@google.com>
- Date: Fri, 29 Apr 2016 08:50:47 +0200
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>, Mark Goodwin <mgoodwin@mozilla.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAKXHy=fx5rf9AKcrEzvjK0zTREvU_C7An4hpGB38kOxBfXaAcQ@mail.gmail.com>
Thanks for the link, Jeff. You'll be shocked (shocked!) to learn that I agree with the authors. We plan to ship an initial implementation of draft-west-first-party-cookies in Chrome ~51, and I'm hopeful that Mozilla will be doing the same in the somewhat near future (+Mark Goodwin, FYI). -mike On Fri, Apr 29, 2016 at 12:04 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > https://ruptureit.com/ > > Practical New Developments on BREACH > Dimitris Karakostas and Dionysis Zindros > > < > https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202 > 016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf> > > [...] > > 7.2 First-party cookies > > The feasibility of the attack lies on the fact that the attacker can > utilize the target service as a compression oracle and retrieve encrypted > compressed secrets along with chosen plaintext data. > > This is possible due to the fact that authentication cookies are included > in crossorigin requests. However, this inclusion is completely unnecessary > for most web applications. The ability to mark cookies as first-party only > will eliminate the existence of the oracle. > > The first-party cookies proposal [14] describes such a mechanism, with the > purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be > used to defend against compression side-channel attacks and eliminates the > possibility completely. > > This proposal is still in draft stage and has not been implemented in any > browser. > We urge browser vendors to adopt it immediately and web service authors to > opt-in. > > > [...] > > https://tools.ietf.org/html/draft-west-first-party-cookies > > >
Received on Friday, 29 April 2016 06:51:45 UTC