OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Indexical reference problem defined

Stephen Farrell wrote:
> > What are the threats to a claim check? There are basically 
> two: interception
> > and guessing or deriving its value. 
> 
> Aren't there some http re-direct based attacks against 
> cookies?

You are correct. My previous comments assumed a browser functioning
according to RFC.

Historically, a lot browsers did not correctly enforce cross domain cookie
restrictions. Our testing suggests this is no longer an issue.

Just for fun ;-) I searched the SecurityFocus vulnerability database for
"cookie"

I think the one you might have in mind is an IE bug which allows an attacker
to confuse the browser as to which site it is talking to by means of a URL
with escaped characters. (I bet Unicode works, too.) This can cause the
browser to deliver the wrong cookie to the web server. The BUGTRAQ Id is
1194 the CVE is CVE-2000-0439.

There is also a HotJava bug that can reveal cookies.

There is an IIS bug that it will not always force SSL on cookies marked
"secure."

A bug in MS Site Server and Commercial Information Server can reveal
cookies.

Finally, the Bluestone/Saphire server has a SSO cookie scheme in which the
cookie contains a session id which is incremented by one for each new
session. This supports Bob Blakely's observation that there are a lot of
insecure solutions to the problem.

> If this is still the case, there's not much SAML can do about 
> it, other
> than recognize the vulnerability and maybe give guidance about using 
> cookies for SSO.

I agree. This is fodder for the security and privacy considerations group. A
search of BUGTRAQ, CVE and a few other vulnerability databases strikes me as
appropriate due diligence.

BTW, just for the record, encoded URLs can be used cross domain, where
cookies cannot. However, there are advantages to using cookies within a
domain, for example, encoded URLs tend to kill caching. I believe the
thinking I heard expressed at the F2F was to use a combination of the two.

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC