Re: A Somewhat Critical View of SOP (Same Origin Policy) from Tony Arcieri on 2015-09-25 (public-web-security@w3.org from September 2015)

From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 25 Sep 2015 00:53:08 -0500
To: Harry Halpin <hhalpin@w3.org>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <CAHOTMVJGQLy=fj5RJ+Yr3VpGGW5SXMvTpeGz8eL1PWHnou7xEg@mail.gmail.com>

On Wed, Sep 23, 2015 at 8:57 AM, Harry Halpin <hhalpin@w3.org> wrote:

> Supporters of such positions seem to have a lack of understanding of the

modern Web and/or basic cryptography and while to some extent basic

education can be done on Web-related mailing lists, I
> doubt many people find it is a productive use of their time given the
> large amount of high quality online courses out there and relatively
> important work that has to be done in terms of Web standards.

I have to agree with Harry Halpin here. I have been reluctant to further
respond to this thread, but it seems like the people making the case that
SOP needs to be abandoned do not understand SOP at a level requisite for
participation in a web standards body.

There is one particular issue I think really needs to be called out,
because I feel it represents what I'd consider a "web appsec 101" level
understanding of how SOP works. I think this sort of egregious
misunderstanding of SOP is the sort of thing that's frustrating Harry
Halpin:

https://www.w3.org/Security/wiki/IG/a_view_on_SOP

Claim: "cookies: a single origin weak identity that lasts at most one year
and that is controlled by the server"

This claim has been repeated by others in this thread (e.g. Henry Story)

Cookies do not follow SOP:

Cookies are shared across http:// and https:// origins unless the Secure
flag is explicitly set. This flag is only present in the Set-Cookie header
and is not transmitted back to the server in subsequent Cookie headers, so
attackers who are able to MitM http:// traffic are able to set cookies
which will be indistinguishably replayed to https:// origins without
context as to the origin they were set on. This can be used for e.g.
session fixation attacks. If cookies actually followed SOP, these sorts of
attacks would not be possible.

Cookies support a Domain attribute that allows them to be set across
origins. This means attackers who are able to gain access to one particular
subdomain can perform similar attacks setting cookies at the domain level
which will clobber existing cookies and be replayed by clients to other
subdomains, again without the context of the origin they were actually set
on. Again, if cookies actually followed SOP, these sorts of attacks would
not be possible.

This is the sort of foundational web appsec knowledge I think should be a
minimum bar for participating in any W3C discussions to abandon SOP.

--
Tony Arcieri

Received on Friday, 25 September 2015 05:53:57 UTC