On Wed, Sep 23, 2015 at 8:57 AM, Harry Halpin <hhalpin@w3.org> wrote: > Supporters of such positions seem to have a lack of understanding of the modern Web and/or basic cryptography and while to some extent basic education can be done on Web-related mailing lists, I > doubt many people find it is a productive use of their time given the > large amount of high quality online courses out there and relatively > important work that has to be done in terms of Web standards. I have to agree with Harry Halpin here. I have been reluctant to further respond to this thread, but it seems like the people making the case that SOP needs to be abandoned do not understand SOP at a level requisite for participation in a web standards body. There is one particular issue I think really needs to be called out, because I feel it represents what I'd consider a "web appsec 101" level understanding of how SOP works. I think this sort of egregious misunderstanding of SOP is the sort of thing that's frustrating Harry Halpin: https://www.w3.org/Security/wiki/IG/a_view_on_SOP Claim: "cookies: a single origin weak identity that lasts at most one year and that is controlled by the server" This claim has been repeated by others in this thread (e.g. Henry Story) Cookies do not follow SOP: Cookies are shared across http:// and https:// origins unless the Secure flag is explicitly set. This flag is only present in the Set-Cookie header and is not transmitted back to the server in subsequent Cookie headers, so attackers who are able to MitM http:// traffic are able to set cookies which will be indistinguishably replayed to https:// origins without context as to the origin they were set on. This can be used for e.g. session fixation attacks. If cookies actually followed SOP, these sorts of attacks would not be possible. Cookies support a Domain attribute that allows them to be set across origins. This means attackers who are able to gain access to one particular subdomain can perform similar attacks setting cookies at the domain level which will clobber existing cookies and be replayed by clients to other subdomains, again without the context of the origin they were actually set on. Again, if cookies actually followed SOP, these sorts of attacks would not be possible. This is the sort of foundational web appsec knowledge I think should be a minimum bar for participating in any W3C discussions to abandon SOP. -- Tony ArcieriReceived on Friday, 25 September 2015 05:53:59 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC