idnits 2.17.1 draft-west-leave-secure-cookies-alone-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 7, 2016) is 3030 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPbis M. West 3 Internet-Draft Google, Inc 4 Updates: 6265 (if approved) January 7, 2016 5 Intended status: Standards Track 6 Expires: July 10, 2016 8 Deprecate modification of 'secure' cookies from non-secure origins 9 draft-west-leave-secure-cookies-alone-05 11 Abstract 13 This document updates RFC6265 by removing the ability for a non- 14 secure origin to set cookies with a 'secure' flag, and to overwrite 15 cookies whose 'secure' flag is set. This deprecation improves the 16 isolation between HTTP and HTTPS origins, and reduces the risk of 17 malicious interference. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 10, 2016. 36 Copyright Notice 38 Copyright (c) 2016 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Terminology and notation . . . . . . . . . . . . . . . . . . 2 55 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 2 56 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 57 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 5.1. Normative References . . . . . . . . . . . . . . . . . . 4 59 5.2. Informative References . . . . . . . . . . . . . . . . . 5 60 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 63 1. Introduction 65 Section 8.5 and Section 8.6 of [RFC6265] spell out some of the 66 drawbacks of cookies' implementation: due to historical accident, 67 non-secure origins can set cookies which will be delivered to secure 68 origins in a manner indistinguishable from cookies set by that origin 69 itself. This enables a number of attacks, which have been recently 70 spelled out in some detail in [COOKIE-INTEGRITY]. 72 We can mitigate the risk of these attacks by making it more difficult 73 for non-secure origins to influence the state of secure origins. 74 Accordingly, this document recommends the deprecation and removal of 75 non-secure origins' ability to write cookies with a 'secure' flag, 76 and their ability to overwrite cookies whose 'secure' flag is set. 78 2. Terminology and notation 80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 82 document are to be interpreted as described in [RFC2119]. 84 The "scheme" component of a URI is defined in Section 3 of [RFC3986]. 86 3. Recommendations 88 This document updates Section 5.3 of [RFC6265] as follows: 90 1. After step 8 of the current algorithm, which sets the cookie's 91 "secure-only-flag", execute the following step: 93 1. If the "scheme" component of the "request-uri" does not 94 denote a "secure" protocol (as defined by the user agent), 95 and the cookie's "secure-only-flag" is "true", then abort 96 these steps and ignore the newly created cookie entirely. 98 2. Before step 11, execute the following step: 100 1. If the newly created cookie's "secure-only-flag" is not set, 101 and the "scheme" component of the "request-uri" does not 102 denote a "secure" protocol, then abort these steps and ignore 103 the newly created cookie entirely if the cookie store 104 contains one or more cookies that meet all of the following 105 criteria: 107 1. Their "name" matches the "name" of the newly created 108 cookie. 110 2. Their "secure-only-flag" is set. 112 3. Their "domain" domain-matches the "domain" of the newly 113 created cookie, or vice-versa. 115 Note: This comparison intentionally ignores the "path" 116 component. The intent is to allow the "secure" flag to 117 supercede the "path" restrictions to protect sites against 118 cookie fixing attacks. 120 Note: This allows "secure" pages to override "secure" cookies 121 with non-secure variants. Perhaps we should restrict that as 122 well? 124 3. In order to ensure that a non-secure site can never cause a 125 "secure" cookie to be evisted, adjust the "remove excess cookies" 126 priority order at the bottom of Section 5.3 to be the following: 128 1. Expired cookies. 130 2. Cookies whose "secure-only-flag" is not set and which share a 131 "domain" field with more than a predetermined number of other 132 cookies. 134 3. Cookies that share a "domain" field with more than a 135 predetermined number of other cookies. 137 4. All cookies. 139 Note that the eviction algorithm specified here is triggered only 140 after insertion of a cookie which causes the user agent to exceed 141 some predetermined upper bound. Conforming user agents MUST 142 ensure that inserting a non-secure cookie does not cause a secure 143 cookie to be removed. 145 4. Security Considerations 147 This specification increases a site's confidence that secure cookies 148 it sets will remain unmodified by insecure pages on hosts which it 149 domain-matches. Ideally, sites would use HSTS as described in 150 [RFC6797] to defend more robustly against the dangers of non-secure 151 transport in general, but until adoption of that protection becomes 152 ubiquitous, this deprecation this document recommends will mitigate a 153 number of risks. 155 The mitigations in this document do not, however, give complete 156 confidence that a given cookie was set securely. If an attacker is 157 able to impersonate a response from "http://example.com/" before a 158 user visits "https://example.com/", the user agent will accept any 159 cookie that the insecure origin sets, as the "secure" cookie won't 160 yet be present in the user agent's cookie store. An active network 161 attacker may still be able to use this ability to mount an attack 162 against "example.com", even if that site uses HTTPS exclusively. 164 The proposal in [COOKIE-PREFIXES] could mitigate this risk, as could 165 "preloading" HSTS for "example.com" into the user agent 166 [HSTS-PRELOADING]. 168 5. References 170 5.1. Normative References 172 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 173 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 174 RFC2119, March 1997, 175 . 177 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 178 Resource Identifier (URI): Generic Syntax", STD 66, RFC 179 3986, DOI 10.17487/RFC3986, January 2005, 180 . 182 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 183 DOI 10.17487/RFC6265, April 2011, 184 . 186 5.2. Informative References 188 [COOKIE-INTEGRITY] 189 Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, 190 T., and N. Weaver, "Cookies Lack Integrity: Real-World 191 Implications", n.d., . 194 [COOKIE-PREFIXES] 195 West, M., "Cookie Prefixes", n.d., . 198 [HSTS-PRELOADING] 199 "HSTS Preload Submission", n.d., 200 . 202 [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict 203 Transport Security (HSTS)", RFC 6797, DOI 10.17487/ 204 RFC6797, November 2012, 205 . 207 Appendix A. Acknowledgements 209 Richard Barnes encouraged a formalization of the deprecation 210 proposal. [COOKIE-INTEGRITY] was a useful exploration of the issues 211 [RFC6265] described. 213 Author's Address 215 Mike West 216 Google, Inc 218 Email: mkwst@google.com 219 URI: https://mikewest.org/