On Sun, Jul 7, 2013 at 10:37 PM, Yoav Nir <[email protected]> wrote:
> Hi all > > This has been submitted with a websec filename, but note that this is not > (yet) on our charter. > > At the Orlando meeting, we discussed some of the security issues with > keeping HTTP sessions using cookies. There was consensus in the room that > this is a problem that needs solving. Nicolas Williams, Phillip > Hallam-Baker, and Yaron Sheffer volunteered to write a problem statement, > and this is it. The message we got from our AD is that first we should show > that the working group has the time and energy to work on solving this > problem, and then we can add this to our charter. > > So please have a look and this document, and answer the following: > - Is this a good starting point for the problem statement? > Hmm, it's surprising there's no discussion of cookie scoping problems like: - "cookie stealing" via MITM-created subdomains [1], or - "cookie forcing" via attacker-controlled sibling or cousin domains [2] These attacks seems particularly relevant to this WG, since they can subvert hostname-specified security like HSTS or HPKP. Also: despite mentioning a few proposals, there's no mention of ChannelID / Channel-bound cookies [3]. ChannelID seems to solve these problems, seems more polished than other proposals, and apparently is being experimentally deployed (see Chrome | Preferences | Cookies and site data | "google.com" or "gmail.com"). - Will you be willing to review the problem statement? > - Will you be willing to read multiple solution proposals to help the > working group choose? > - Will you be willing to review the solution document? > I'd be more interested in websec taking this on if someone could argue why ChannelID is *not* the right solution, and had some ideas how to do better. Trevor [1] http://tools.ietf.org/html/rfc6265 Section 4.1.2.3 WARNING https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies Scope http://tools.ietf.org/html/rfc6797 Section 14.4 [2] http://tools.ietf.org/html/rfc6265 Sections 4.1.2.5 and 8.6 http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies Overwriting cookies [3] http://tools.ietf.org/html/draft-balfanz-tls-channelid-01
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
