Re: RUPTURE augers for adoption of draft-west-first-party-cookies

Thanks for the link, Jeff. You'll be shocked (shocked!) to learn that I
agree with the authors. We plan to ship an initial implementation of
draft-west-first-party-cookies in Chrome ~51, and I'm hopeful that Mozilla
will be doing the same in the somewhat near future (+Mark Goodwin, FYI).

-mike

On Fri, Apr 29, 2016 at 12:04 AM, =JeffH <Jeff.Hodges@kingsmountain.com>
wrote:

> https://ruptureit.com/
>
> Practical New Developments on BREACH
> Dimitris Karakostas and Dionysis Zindros
>
> <
> https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202
> 016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf>
>
> [...]
>
> 7.2 First-party cookies
>
> The feasibility of the attack lies on the fact that the attacker can
> utilize the target service as a compression oracle and retrieve encrypted
> compressed secrets along with chosen plaintext data.
>
> This is possible due to the fact that authentication cookies are included
> in crossorigin requests. However, this inclusion is completely unnecessary
> for most web applications. The ability to mark cookies as first-party only
> will eliminate the existence of the oracle.
>
> The first-party cookies proposal [14] describes such a mechanism, with the
> purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be
> used to defend against compression side-channel attacks and eliminates the
> possibility completely.
>
> This proposal is still in draft stage and has not been implemented in any
> browser.
> We urge browser vendors to adopt it immediately and web service authors to
> opt-in.
>
>
> [...]
>
> https://tools.ietf.org/html/draft-west-first-party-cookies
>
>
>

Received on Friday, 29 April 2016 06:51:45 UTC