- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 9 Mar 2020 14:00:29 +0100
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, mt@lowentropy.net
Hi Mike, On Mon, Mar 09, 2020 at 09:51:46AM +0100, Mike West wrote: > Hey folks! > > We've known for quite some time that cookies' lack of respect for the > scheme that created them was an unfortunate choice that means cookies can > give only weak guarantees of confidentiality > <https://tools.ietf.org/html/rfc6265#section-8.5>. We further know that > long-lived non-secure cookies create real risks for users (pervasive > monitoring, data safety, etc). > > Martin Thomson's https://tools.ietf.org/html/draft-thomson-http-omnomnom-00 is > one take on an approach to mitigating these risks. > https://github.com/mikewest/cookies-over-http-bad is another. Neither took > off when they were proposed, but they seem to me to be clearly good ideas, > at least directionally. Given the state of the world today, and the > significant migration from HTTP to HTTPS we've seen in the past few years, > I'd like to try tilting at this particular windmill again: > > https://github.com/mikewest/scheming-cookies proposes two changes: > > 1. We teach cookies about schemes, and lock them to the scheme that set > them (just like every other web-facing storage mechanism). > > 2. We curtail non-secure schemes' cookies' lifetime by agreeing on a set of > heuristics for a user's "session" on a given site, and culling cookies when > a site's session expires. > > The explainer tries to work through each of those and their implications in > a little more detail. I'd appreciate feedback, either here or in the GitHub > repo. :) What I'm seeing there sounds reasonable to me. The main use I know for cookies in clear text is for server stickiness. These ones are exclusively session cookies (no expiration date so that they're never stored). With browsers now staying open forever, these ones are sometimes problematic (i.e. many users sticking to a single server after a domino effect) and I've found myself having to artificially implement timeouts in their values to be able to ignore too old cookies. If we would implement a limitation to the lifetime of a session cookie, it would solve this but would create a new problem which is that sessions would be limited in time, which is not the same as limiting the idle time as you don't want to break a session being used. What we need is a way to let the client inform the server that it'd rather refresh the cookie if it really wants the client to continue to present it (this is what we do in haproxy as the expiration time is provided in the value so that we can decide to drop it or update it). Or instead of forcing a limited lifetime on session cookies in cleartext, we could force a limited idle time, which more closely matches the real problem (i.e. users not aware they're passing such info). Regarding the scheme, there is a use case for cookies passed from HTTP to HTTPS which is also to ensure the user can stick to the same server when switching to HTTPS. But given that it's just for a short transition it could make sense to address it exactly like the other one above, as a session cookie only and with a much shorter lifetime. One point worth mentioning is that while there are tons of legacy applications outthere making use of cookies, I tend to think that nowadays most of them are placed behind reverse-proxies for various reasons including performance, security, integration, support for newer protocols, and that most of the remaining legitimate clear-text cookies are really used by infrastructure components such as load balancers, which are usually kept reasonably up to date and can be reconfigured to adapt to an evolving ecosystem. In addition I'm not aware of any valid use case of stored cookies learned over cleartext connections. While typing this I'm thinking that most of the cookies I'm seeing in requests don't come from servers themselves but are set from javascript components. Maybe we could already have browsers ask for user's consent before setting a cookie from JS on a cleartext page ? And maybe also before sending a stored cookie on such a page ? That would be a nice way to get sites to progressively apply some cleanups and remove part or all of their useless trackers. It would also make sense to enforce shorter names+values for cleartext cookies: if a server stores a lot of info in a cleartext cookie, then there definitely is a problem and most likely it's not by design but rather a mistake. Keeping only up to 16 chars for the name and 16 for the value looks quite enough for a servername and various deliberate use cases (infrastructure paths). Just my two cents, Willy
Received on Monday, 9 March 2020 13:00:52 UTC