On 1/26/10 12:57 PM, Timothy D. Morgan wrote: > I would like to bring your attention to a paper I published today: > > http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf > > It includes a few minor security problems with HTTP authentication > dialog boxes and password managers in several browsers.
This is an area Mozilla has been interested in. You should talk to our "Mozilla Labs" folks who have been working on Identity in the browser. They are coming at it from a different angle but there's a lot of overlap between the problems you and they are trying to solve. http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ http://mozillalabs.com/blog/2009/05/identity-in-the-browser/ I have a quibble with your section on HTTPOnly cookies. By mentioning only IE by name when you follow with "other browsers have been slow to adopt this feature" people will naturally assume that includes Firefox, the only other browser with significant marketshare. Firefox has supported HTTPOnly since 2007. Although perhaps "slow" compared to when Microsoft invented the feature that's pretty irrelevant for a paper written three years later when nearly all Firefox users will have support for it. Continuing that quote with "and continue to have difficulties fully enforcing this rule in light of newer features (such as AJAX requests/responses)" people will again assume Firefox, when Firefox was the first to get this right and in fact IE is one of the browsers with difficulties. You don't have to take my word for it, this is right in the OWASP chart linked to from your paper and in the "[16]" link from that chart to one of the OWASP author's blog http://manicode.blogspot.com/2009/02/firefox-3006-httponly-champion.html > More importantly, it makes an argument for a few small changes to > browser behavior and/or standards. I would hope that Mozilla > developers could take a look and provide any feedback. I'm > particularly interested in opinions on the suggested 401 response > behavior change. I have submitted this information to other browser > vendors as well. Your proposal to reinterpret 401 headers is clever and if the IETF HTTP working group agreed with this interpretation Firefox would follow. The IETF is currently working on (finishing up) an HTTP revision to clarify things and you should bring this up with them. In practice, though, I can't see sites adopting it because of the mass of old browsers who will behave badly for some time. Your new header proposal would be easier to get adopted since old browsers are no worse off by ignoring it. You must be the Tim who started the "Past proposals for HTTP Auth Logout" thread and if so you're already involved in the right place for that. -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security