Internet DRAFT - draft-thomson-http-omnomnom
draft-thomson-http-omnomnom
Network Working Group M. Thomson
Internet-Draft C. Peterson
Intended status: Standards Track Mozilla
Expires: November 27, 2016 May 26, 2016
Expiring Aggressively Those HTTP Cookies
draft-thomson-http-omnomnom-00
Abstract
HTTP Cookies that are sent over connections without confidentiality
and integrity protection are vulnerable to theft. Such cookies
should be expired aggressively.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 27, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Thomson & Peterson Expires November 27, 2016 [Page 1]
Internet-Draft EAT HTTP Cookies May 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2
2. Expire Cookies . . . . . . . . . . . . . . . . . . . . . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 3
5.1. Normative References . . . . . . . . . . . . . . . . . . 3
5.2. Informative References . . . . . . . . . . . . . . . . . 4
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
HTTP cookies [RFC6265] provide a means of persisting server state
between multiple requests. This feature is widely used on both HTTP
[RFC7230] and HTTPS [RFC2818] requests.
The authority for "http://" resources (see Section 9.1 of [RFC7230])
derives from insecure sources: notably the network and the DNS
(absent DNSSEC). This situation might change over time. As
persistent state, cookies create a way for an attacker to link
requests. The information that a cookie holds might also be valuable
to that attacker in some way.
To limit the effectiveness of attacks on cleartext communications
[RFC7258], user agents are encouraged to limit the persistence of
cookies that are set over insecure connections.
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Expire Cookies
Cookies that are set using insecure channels (i.e., HTTP over
cleartext TCP), MUST have a short time limit on the time that they
are persisted. For instance, such cookies might only persist until
the user closes their browser.
If a user agent detects a change in network conditions it SHOULD
remove any cookies that were established using insecure channels.
Alternatives:
Thomson & Peterson Expires November 27, 2016 [Page 2]
Internet-Draft EAT HTTP Cookies May 2016
o In the investigation into this change, it was suggested that
cookies without the "Secure" flag might be given the same
treatment. However, this resulted in a far greater number of
cookies being affected and some interoperability problems as a
result.
o This change might be limited to cookies that are set in third-
party contexts. See [I-D.west-first-party-cookies].
Limiting access to third-party cookies in this fashion could have
the secondary effect of encouraging providers of third-party
content to move to HTTPS. This removes that content as a barrier
to the adoption of HTTPS for the sites that include that content.
3. Security Considerations
This document describes an improvement that could be a security
improvement. However, this is not without risks. For cookies that
are used as a substitute for logins, more regular clearing of a login
cookie could expose the primary authentication token (for instance, a
password) to more network attackers as a result of being entered more
often.
Clearing login tokens could also cause a degree of user annoyance, as
login information is lost. Such annoyance manifests in many subtle
ways.
Limiting the change to third-party contexts as suggested above might
reduce these risks, though with lesser overall impact.
4. IANA Considerations
This document makes no request of IANA.
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011,
<http://www.rfc-editor.org/info/rfc6265>.
Thomson & Peterson Expires November 27, 2016 [Page 3]
Internet-Draft EAT HTTP Cookies May 2016
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<http://www.rfc-editor.org/info/rfc7230>.
5.2. Informative References
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000,
<http://www.rfc-editor.org/info/rfc2818>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>.
Appendix A. Acknowledgements
Henri Sivonen first suggested that non-Secure cookies be made
ephemeral. Chris Peterson did much of the initial investigation and
work. See <https://bugzilla.mozilla.org/show_bug.cgi?id=1160368> for
details.
Authors' Addresses
Martin Thomson
Mozilla
Email: martin.thomson@gmail.com
Chris Peterson
Mozilla
Email: cpeterson@mozilla.com
Thomson & Peterson Expires November 27, 2016 [Page 4]