[cap-talk] Security considerations for cookies

[Tyler Close]

Hi Adam,

Thanks for undertaking this work. It'll be great to be able to refer
people to an RFC document that explains the problems with cookies.

So far, I have just one comment on a paragraph in the Security Section:

"""
Although this security concern goes by a number of names (e.g.,
cross-site request forgery), the issue stems from cookies being a form
of ambient authority. Cookies encourage server operators to separate
designation (in the form of URLs) from authorization (in the form of
cookies). Disentangling designation and authorization can cause the
server and its clients to become confused deputies and undertake
undesirable actions.
"""

Although the term "Confused Deputy" seems to have caught on somewhat,
I find that people (even very smart ones) almost universally don't
really understand what it means. So I'm worried the last sentence of
the above paragraph will simply read to most people as: "Disentangling
designation and authorization can cause bad stuff to happen." Which is
true, but not an effective explanation.

For a thread on another mailing list, I recently wrote the following:

"""
When a private resource is identified by a guessable URI an attacker
can navigate an authorized user to it under a pretense of the
attacker's choosing. In this unexpected context, the attacker can
cause the user to interact with the private resource in an undesired
way. By measuring response times, the attacker may also learn
significant confidential information about the private resource. Using
unguessable URIs, instead of guessable ones, prevents these attacks.
"""

I think the essence of the point is that disentangling designation and
authorization enables an attacker to direct how the permissions of
*other* agents are applied and so lets an attacker exercise
permissions that he himself doesn't have. Perhaps the existing
paragraph could be rewritten to:

"""
Although this security concern goes by a number of names (e.g.,
cross-site request forgery, confused deputy), the issue stems from
cookies being a form
of ambient authority. Cookies encourage server operators to separate
designation (in the form of URLs) from authorization (in the form of
cookies). Consequently, an attacker can provide the designation for a
request and the victim user agent provides the authorization. As a
result, the user agent performs actions chosen by the attacker, but
attributed to the user.
"""

Maybe something like the above will hit developer's brain pan in a
more permanent way.

--Tyler