Cookies and schemes. from Mike West on 2020-03-09 (ietf-http-wg@w3.org from January to March 2020)

From: Mike West <mkwst@google.com>
Date: Mon, 9 Mar 2020 09:51:46 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: mt@lowentropy.net
Message-ID: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com>

Hey folks!

We've known for quite some time that cookies' lack of respect for the
scheme that created them was an unfortunate choice that means cookies can
give only weak guarantees of confidentiality
<https://tools.ietf.org/html/rfc6265#section-8.5>. We further know that
long-lived non-secure cookies create real risks for users (pervasive
monitoring, data safety, etc).

Martin Thomson's https://tools.ietf.org/html/draft-thomson-http-omnomnom-00 is
one take on an approach to mitigating these risks.
https://github.com/mikewest/cookies-over-http-bad is another. Neither took
off when they were proposed, but they seem to me to be clearly good ideas,
at least directionally. Given the state of the world today, and the
significant migration from HTTP to HTTPS we've seen in the past few years,
I'd like to try tilting at this particular windmill again:

https://github.com/mikewest/scheming-cookies proposes two changes:

1. We teach cookies about schemes, and lock them to the scheme that set
them (just like every other web-facing storage mechanism).

2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of
heuristics for a user's "session" on a given site, and culling cookies when
a site's session expires.

The explainer tries to work through each of those and their implications in
a little more detail. I'd appreciate feedback, either here or in the GitHub
repo. :)

-mike

Received on Monday, 9 March 2020 08:52:14 UTC