Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Trevor Perrin
On Thu, Jul 11, 2013 at 1:58 PM, Nico Williams wrote: > > At any rate, I don't think we should do anything to exclude channel > bound cookies (at least not yet, not without much more discussion as > to why) as a candidate session continuation protocol. I have given > reasons why I think it should

Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Daniel Kahn Gillmor
On 07/11/2013 03:37 PM, Yoav Nir wrote: > I would still be able to make a form that would cause a POST. It's just a > matter of getting the user to click a button, no? I think I could also do it > in Javascript. Which is why you need CSRF protection, as i mentioned. > > They don't have to. I

Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Daniel Kahn Gillmor
On 07/11/2013 02:41 PM, Yoav Nir wrote: > > * GET /maingage.html?button=shutdown caused the firewall to power-off. > * GET /mainpage.html?button=unload caused the firewall to unload > policy, so that it didn't enforce policy or do IPsec or anything a router > wouldn't do. > > So

Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Yoav Nir
On Jul 11, 2013, at 7:51 PM, Trevor Perrin mailto:tr...@trevp.net>> wrote: But even if we restrict our solution to HTTPS, I don't see how ChannelID helps a problem like the BEAST and CRIME attacks. In both cases, the issue is the scoping of cookie use. An attacker's web page or script can caus

Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Trevor Perrin
On Thu, Jul 11, 2013 at 5:50 AM, Yoav Nir wrote: > > On Jul 11, 2013, at 12:32 AM, Trevor Perrin wrote: > > > ChannelID seems to solve these problems, seems more polished than other > proposals, and apparently is being experimentally deployed (see Chrome | > Preferences | Cookies and site data

Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

2013-07-11 Thread Yoav Nir
On Jul 11, 2013, at 12:32 AM, Trevor Perrin mailto:tr...@trevp.net>> wrote: ChannelID seems to solve these problems, seems more polished than other proposals, and apparently is being experimentally deployed (see Chrome | Preferences | Cookies and site data | "google.com" o