Re: RUPTURE augers for adoption of draft-west-first-party-cookies

To confirm, I'm currently working on bringing this feature to Firefox.

mgoodwin

On Fri, Apr 29, 2016 at 7:50 AM, Mike West <mkwst@google.com> wrote:

> Thanks for the link, Jeff. You'll be shocked (shocked!) to learn that I
> agree with the authors. We plan to ship an initial implementation of
> draft-west-first-party-cookies in Chrome ~51, and I'm hopeful that Mozilla
> will be doing the same in the somewhat near future (+Mark Goodwin, FYI).
>
> -mike
>
> On Fri, Apr 29, 2016 at 12:04 AM, =JeffH <Jeff.Hodges@kingsmountain.com>
> wrote:
>
>> https://ruptureit.com/
>>
>> Practical New Developments on BREACH
>> Dimitris Karakostas and Dionysis Zindros
>>
>> <
>> https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202
>> 016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf>
>>
>> [...]
>>
>> 7.2 First-party cookies
>>
>> The feasibility of the attack lies on the fact that the attacker can
>> utilize the target service as a compression oracle and retrieve encrypted
>> compressed secrets along with chosen plaintext data.
>>
>> This is possible due to the fact that authentication cookies are included
>> in crossorigin requests. However, this inclusion is completely unnecessary
>> for most web applications. The ability to mark cookies as first-party only
>> will eliminate the existence of the oracle.
>>
>> The first-party cookies proposal [14] describes such a mechanism, with the
>> purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be
>> used to defend against compression side-channel attacks and eliminates the
>> possibility completely.
>>
>> This proposal is still in draft stage and has not been implemented in any
>> browser.
>> We urge browser vendors to adopt it immediately and web service authors to
>> opt-in.
>>
>>
>> [...]
>>
>> https://tools.ietf.org/html/draft-west-first-party-cookies
>>
>>
>>
>

Received on Friday, 29 April 2016 08:27:05 UTC