On 15/04/12 05:23, Rohan Jain wrote: > On 22:50 +0100 / 13 Apr, Luke Plant wrote: >> The reason for the strict referer checking under HTTPS is set out here: >> >> https://code.djangoproject.com/wiki/CsrfProtection >> >> Particularly, it is to fix the 'CSRF + MITM' attack that is possible >> under HTTPS. The key elements are set out in the following scenario >> (although it is not the only variation): >> >> - a client connects to a site via HTTP: http://example.com/ >> - in the response, an active MITM attacker sets a cookie over >> HTTP for example.com >> - this cookie will be used by the client when it connects over HTTPS >> to the same domain (this is the fundamental problem, but we can't >> fix it - it's what browsers do). >> - the MITM also inserts a POST form in the HTTP response. >> The form has a CSRF token that matches the cookie that was >> set by the attacker. >> The forms targets https://example.com/ and is automatically >> submitted by javascript. >> >> Without strict referer checking, the POST request will succeed, even >> though it is forged. >> >> Signing the cookie or token value does no good at all, because the >> attacker can retrieve a valid cookie/token pair directly from >> https://example.com/. > > I am a bit confused about this. How can an attacker extract the token > out of the signed cookie without the private key? There is a > possibility that the attacker deletes and sets the cookie right out, > but since that case won't be correctly signed server can handle it > securely.
They don't need to extract the token, they just need to replay an existing good token/cookie pair, which they can get directly from the server any time they want. (Also, signing does nothing to hide the token. Are you actually talking about encryption here? But even if you encrypt it, it doesn't help - the only thing that matters is that the CSRF form token 'matches' the CSRF cookie, whatever your definition of 'match', and that can be achieved by getting the pair from the server.) Luke -- "My capacity for happiness you could fit into a matchbox without taking out the matches first." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
