- From: Mark Goodwin <mgoodwin@mozilla.com>
- Date: Fri, 29 Apr 2016 09:26:36 +0100
- To: Mike West <mkwst@google.com>
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAGXeGtJ1fwAB-Umm-i_1NKzmcaaNkvp00_bg4j+Jx5pnLfvvYg@mail.gmail.com>
To confirm, I'm currently working on bringing this feature to Firefox. mgoodwin On Fri, Apr 29, 2016 at 7:50 AM, Mike West <mkwst@google.com> wrote: > Thanks for the link, Jeff. You'll be shocked (shocked!) to learn that I > agree with the authors. We plan to ship an initial implementation of > draft-west-first-party-cookies in Chrome ~51, and I'm hopeful that Mozilla > will be doing the same in the somewhat near future (+Mark Goodwin, FYI). > > -mike > > On Fri, Apr 29, 2016 at 12:04 AM, =JeffH <Jeff.Hodges@kingsmountain.com> > wrote: > >> https://ruptureit.com/ >> >> Practical New Developments on BREACH >> Dimitris Karakostas and Dionysis Zindros >> >> < >> https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202 >> 016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf> >> >> [...] >> >> 7.2 First-party cookies >> >> The feasibility of the attack lies on the fact that the attacker can >> utilize the target service as a compression oracle and retrieve encrypted >> compressed secrets along with chosen plaintext data. >> >> This is possible due to the fact that authentication cookies are included >> in crossorigin requests. However, this inclusion is completely unnecessary >> for most web applications. The ability to mark cookies as first-party only >> will eliminate the existence of the oracle. >> >> The first-party cookies proposal [14] describes such a mechanism, with the >> purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be >> used to defend against compression side-channel attacks and eliminates the >> possibility completely. >> >> This proposal is still in draft stage and has not been implemented in any >> browser. >> We urge browser vendors to adopt it immediately and web service authors to >> opt-in. >> >> >> [...] >> >> https://tools.ietf.org/html/draft-west-first-party-cookies >> >> >> >
Received on Friday, 29 April 2016 08:27:05 UTC