Wednesday, January 23, 2008

IETF starts working on security requirements for HTTP

Andre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document.

Recent IESG practice dictates that IETF protocols must specify mandatory-to-implement security mechanisms, so that all conformant implementations share a common baseline. This document examines all widely deployed HTTP security technologies, and analyzes the trade-offs of each.

The internet draft of "Security Requirements of HTTP" addresses the existing security mechanisms of HTTP or its lack thereof :)

Forms and cookies have number of properties that make them an excellent solution for some implementors. However, many of those properties introduce serious security trade-offs.

HTML forms provide a large degree of control over presentation, which is an imperative for many websites. However, this increases user reliance on the appearance of the interface. Many users do not understand the construction of URIs [RFC3986], or their presentation in common clients [[ CITATION NEEDED ]]. As a result, forms are extremely vulnerable to spoofing.

Cookies are susceptible to a large variety of XSS (cross-site scripting) attacks, and measures to prevent such attacks will never be as stringent as necessary for authentication credentials because cookies are used for many purposes. Cookies are also susceptible to a wide variety of attacks from malicious intermediaries and observers. The possible attacks depend on the contents of the cookie data. There is no standard format for most of the data.

Remember this is just the initial draft and is incomplete but the good news is that they have started working on it and sooner then later would be implemented. It may not have all that we want, but at least it will do something more then what we have today.

No comments: