Re: considerations for draft-west-leave-secure-cookies-alone-04 from Mike West on 2016-01-07 (ietf-http-wg@w3.org from January to March 2016)

From: Mike West <mkwst@google.com>
Date: Thu, 7 Jan 2016 16:04:03 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: httpbis <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=epnoHx8Z699+B2jinH-BE+0UKOODH77k9gpYCdbYZkfA@mail.gmail.com>

Hi Adam!

On Wed, Dec 23, 2015 at 5:10 AM, Adam Barth <w3c@adambarth.com> wrote:

> As written, draft-west-leave-secure-cookies-alone-04 gives the impression
> that it solves the secure cookie integrity problem.  However, there's still
> a risk that a network attacker can set a non-secure cookie before the
> honest server gets a chance to set a secure cookie.  Because the secure
> cookie doesn't yet exist in the cookie store, the user agent with accept
> the non-secure cookie and the honest server might still be fooled.
>
> IMHO, we should explain this risk in the security considerations section.
> Here's some example text that you should feel free to edit/use/ignore:
>

I agree, thank you for pointing this out. I've uploaded an -05 along the
lines you suggested.
https://github.com/mikewest/internetdrafts/commit/9e0a556801c2a2b08012f2dcb2937a1c222b57d1#diff-070f991d1d237dc8e63ce181c3da3f7e
is the diff, which I hope says more or less the same thing you suggested.

-mike

Received on Thursday, 7 January 2016 15:04:52 UTC