Slashdot Mirror
How Not To Design a Protocol
An anonymous reader writes "Google security researcher Michael Zalewski posted a cautionary tale for software engineers: amusing historical overview of all the security problems with HTTP cookies, including an impressive collection of issues we won't be able to fix. Pretty amazing that modern web commerce uses a mechanism so hacky that does not even have a proper specification."
yes. and thats whats important.
Read radical news here
Are slashdot accounts with auto-login also vulnerable?
HTTP is like a manual lawn mower. It's not flawless, pretty, blazingly fast, or elegant, but it's usable enough to do the job, and you get used to the quirks.
... cookies are delicious!
Check out my novel.
Darn...and here I thought this was going to be an article on the OSI Network model...
http://en.wikipedia.org/wiki/OSI_model
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
The whole cookie system should be replaced by a system based on public key cryptography. Replace domain scope by associating sessions with the public keys of the client and the server. Authenticate each chunk of exchanged data by signing a hash value. Browsers could offer throwaway key pairs for temporary sessions and persistent key pairs for preferences and permanent logins.
I still think allowing cookies to span more than one distinct domain was a mistake. If we had avoided that in the beginning, cookie scope implementations would be dead simple and not much functionality would be lost on the server side. Also, JavaScript cookie manipulation is something we could easily lose for the benefit of every user, web developer and server admin. I postulate there are very few legitimate uses for document.cookie
I think it can be hard to plan for this far into the future. Look how much the web has changed, and the things we do now with even just HTML and CSS that people back in the beginning probably would never have even considered doing. You build something for your needs and if it works then you are good. Sometimes you don't want to spend time planning it out for the next 5, 10, 20 years because you assume (usually correctly) that what you are writing will be updated long before then and replaced with something else.
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
On a domain.
Like the crosssite.xml or robots.txt files. "Cookies on this site must follow this pattern." Or somesuch.
Most of the rest, I can cope with. Cookie pollution from various forms of injection, not so much.
Adult Role Playing Forum
When it comes to cookies - block them all just like we all block Flash and JavaScript for security reasons.
Inside a VM running a non-Microsoft OS, I have a browser configured to allow session cookies and javascript, but that VM is a LiveCD boot - no hard drive. I use it for very specific reasons like banking. If I want to visit less-safe-parts-of-the-internet, I reboot the VM and have at it, but turn off javascript so those scripts don't attempt to hack other machines on my internal network. I really need to setup another network for that type of use.
Yep, thank you Captain Hindsight.
TFA makes it clear that it is impossible to repair the current cookie system: it is really badly broken, and several previous attempts have failed.
Could we therefore design a complete new replacement system, to be implemented in parallel, and added as part of the HTML5 standard? If it were well specified, so that all implementations were consistent, and had all the features that TFA shows are needed, it should be both easy to use and have serious benefits for the site designer as well as the user. In which case, designers might be inclined to do
if then else
The important thing is that it must be easy to use the replacement (e.g. no inter-browser weirdness) and the designer must get some payoff in terms of a better site. Of course, the user will also get a payoff - probably bigger - in terms of better security amongst other things. But, realistically, it is the designers convenience which will win the day. Once you get the big four (or so) browsers implementing the same standard, and designers regarding that as a preferred option, it has a chance of taking over.
Who can design such a system? Assuming a perfect "supercookie" system is designed, how do we get it into the standard? And what is the game-changing power feature that will bribe site designers to use the supercookie?
Consciousness is an illusion caused by an excess of self consciousness.
Surely I wasn't the only one to think this:
MIKE WAZOWSKI!
"Working" is measured over a very wide spectrum. On one hand, we have "broken", and on the other we have "working perfectly". The web is far, far closer to the "broken" side of the spectrum than it ever has been to the "working perfectly" side.
Put simply, almost everything about the web is one filthy hack upon another. It's a huge stack of shitty "extensions" that were often made with little thought, so it's no wonder web development is so horrible today.
HTTP has been repurposed far more than it should have been. Its lack of statefulness has resulted in horrible hacks like cookies and AJAX. HTTP makes caching far harder than it should be. SSL and TLS are mighty awful hacks. And those are just a few of its problems!
HTML is a mess, and HTML5 is just going to make the situation worse. Even after 20 years, layout is still a huge hassle. CSS tries to bring in concepts from the publishing world, but they're not at all what we need for web layout, and thus everyone is unhappy.
A lot of people will claim otherwise, and they're wrong, but JavaScript is a fucking horrible scripting language. It's even worse for writing anything significant. And no, it's absolutely nothing like Scheme (some JavaScript advocate always makes this stupid claim whenever the topic of JavaScript's horrid nature comes up).
PHP is one of the few popular languages that can rival JavaScript in terms of being absolutely shitty. Then there are other server-side shenanigans like the NoSQL movement, which arose solely because there are a lot of web "developers" who don't know how to use relational databases properly. I've seriously dealt with such "developers" and many of them didn't even know what indexes are!
Most web browsers themselves are quite shitty. It has gotten better recently, but they still use huge amounts of RAM for the relatively simple services they provide.
The only people involved with some sort of web-related software development who aren't absolute fuck-ups are those working on HTTP servers like Apache HTTPd, nginx, and lighttpd. But now we're seeing crap like Mongrel and Mongrel2 arising in this area, so maybe it's only a matter of time before the sensible developers here move on.
So just because the web is "sort of broken", rather than "completely fucking broken", it doesn't mean that it's "working".
Why go hatin' on this particular protocol?
Most of them are just nuckin futs:
* FTP: needs two connections. Commands and responses and data are not synced in any way. No way to get a reliable list of files. No standard file listing format. No way to tell what files need ASCII and which need BIN mode. And probably more fubarskis.
* Telnet: The original handshake protocol is basically foobar-- the handshakes can go on forever. Several RFC patches did not help much. Basically the clients have to kinda cut off negotiations at some point and just guess what the other end can and will do.
* SMTP: You can't send a line with the word "From" as the first word? I'm not a typewriter? WTF?
Let's see:
1. IP is a stateless protocol, that's inconvenient for some things, so
2. We build TCP on it to make it stateful and bidirectional.
3. On top of TCP, we build HTTP, which is stateless and unidirectional.
4. But whoops, that's inconvenient. We graft state back into it with cookies. Still unidirectional though.
5. The unidirectional part sucks, so various hacks are added to make it sorta bidirectional like autorefresh, culminating with AJAX.
Who knows what else we'll end up adding to this pile.
A pretty interesting write up :)
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
A session is forever
i love your design
And let's replace IPv4 while we're at it!
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Most of the crap we surround ourselves with (cookies, MIME, Windows and Office, etc.) are still there because they are there and the alternatives aren't.
What is the alternative to using cookies, really? Almost every framework for web-based development has session support that largely relies on cookies. Give me something more secure that works as easily and I will be using it right away.
Assorted stuff I do sometimes: Lemuria.org
1. Sure
2. stateful, stream-oriented, *and* reliable
3. HTTP designed as a stateless datagram model, but wanted reliability, so TCP got chosen for lack of a better option. SCTP if it had existed might have been a better model, but for the time the stateful stream aspect of TCP was forgiven since it could largely be ignored but reliability over UDP was not so trivial.
4. More critically, the cookie mechanism strives to add stateful aspects that cross connections. This is something infeasible with TCP. Simplest example, HTTP 'state' strives to survive events like client IP changes, server failover, client sleeping for a few hours, or just generally allowing the client to disconnect and reduce server load. TCP state can survive none of those.
5. Indeed, at least AJAX enables somewhat sane masking of this, but the only-one-request-per-response character of the protocol means a lot of things cannot be done efficiently. If HTTP had allowed arbitrary server-side HTTP responses for the duration of a persistent http connection, that would have greatly alleviated the inefficiencies that AJAX methods strive to mask.
XML is like violence. If it doesn't solve the problem, use more.
Why can't we just start over with an entirely new web standard that would be designed in a more efficient manner?
Yes, why don't we? The layered nature of the protocol stack is meant to allow for multiple versions and revisions of various and sundry functionality and interaction between layers. All the bright outspoken /.'ers here can go off and build some newer, better layers, or even a whole new stack!
No more cookies needed, huzzah!
It didn't make mistakes that closely resemble those in Telnet, tftp, ftp, smtp, it made what may be considered completely distinct 'mistakes' in retrospect.
However, if you confine the scope of HTTP use to what it was intended, it holds up pretty well. It was intended to serve up material that would ultimately manifest on a endpoint as a static document. Considerations for some server-side programmatic content tweaking based on client given cues was baked in to give better coordination between client and server and some other flexibility, but it was not intended to be the engine behind highly interactive applications 'rendered' by the server. HTTP was founded at a time when the internet at large wasn't particularly shy about developing new protocols running over TCP or UDP and I'm sure the architects of HTTP would've presumed such a usage model would have induced a new protocol rather than a mutation of HTTP over time.
Part of the whole 'REST' philosophy is to get back to the vision that HTTP targets. Strictly speaking, a RESTful implementation is supposed to eschew cookies and server maintained user sessions entirely. Every currently applicable embodiment of data is supposed to have its own *U*RL and authentication when required is HTTP auth. Thanks to Javascript a web application can still avoid popping up the inadequate browser provided login dialog as well as assembling disparate data at the client side rather than server side. It doesn't work everywhere, and often even when it does it's kinda mind warping to get used to, but it does try to use HTTP more in the manner it was archictected to be used.
XML is like violence. If it doesn't solve the problem, use more.
Oh for fucks sake, stop being a fucking puritan, you fucktard!
Huh? The article is talking about HTTP, not HTML. Those two are not related in any way, Flash is also sent via HTTP.
SNMP is a nightmare. There was a doc out there that used SNMP as an exemplar of "how not to write a protocol."
It's easy to forget, but these protocols were designed back in the day when there wasn't a lot of ram, bandwidth, or CPU.
Most of the problems with everything have been well-discussed. You can dig into the past to see, but interoperability with existing implementations is always the blocking factor.
Heck, everyone knew the problems with ActiveX when it was announced...but that didn't stop MS. Same with cookies. If you want to see excitement, you can mine all the old protocol-level vulnerabilities just by plowing through usenet archives.
Let's not confuse html with http. This is already messy territory as it is
We're talking about HTTP, not HTML. Just because they are often used together doesn't mean they are the same thing. In fact, they couldn't be more different; one is a communications protocol, the other is a markup language - I hope to god you can figure out which is which from that much.
But HTML is a terrible mess of kludges that doesn't work very well, too. It's just that most people on Slashdot consider it to be superior to Flash, even though it lacks a lot of Flash's basic functionality, and lacks all of the nice development tools that Flash has. Most of this stems from security paranoia (legitimate, but overblown in 99% of cases) and its tendency to crash (more significant issue, IMO, and also legitimate - also the cause of much of the security paranoia).
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
The therm Cookie is sometimes used to describe small dog poop of the breeds that are not able to produce regular cakes.
Just imagine how screwed we are, when M$ introduces cakes.
He basically said "everyone apart from me sucks".
which is totally what she said
What does that tell you about how bad Flash is that HTML5 is such a massive improvement over it?
Don't thank God, thank a doctor!
I can sometimes appreciate instances where people reasonably just want to get crap done skipping enumeration of all possible issues and setting minimum requirements and formal descriptions. It's too easy to go overboard and have the extra effort not actually contribute tangable improvements to the real world.
Implementors are lazy skipping sentances, paragraphs, whole pages, sections and sometimes just make honest mistakes. Once a specification is deployed it is very difficult - sometimes a practical impossibility to change the deployed behavior after the fact because this would lead to breakage in the field. The net result is it is ususally the case reality trumps specification.
I guess what I'm arguing it is easy to look back and say wait a minute... I am not convienced had all semantics and corners been worked out origionally there would be a guarantee many of the same issues would have not existed.
I learned some things about sub domains (WTF were they smoking) and disagree WRT importance of attack scenarios that expire old cookies by registering a bunch of new ones. It is stupid crap like this and a general additude of members of standards groups trying to be clever and think of everything which lead to absurdity in specifications.
The language, encoding, size and httponly only points are in my view pedantic -- not really big issues. The implmentation issues described are tangential to the issue of specification quality.
Anyway I hope they do a post on cache headers.
Yes, and actually I agree with jabberw0k. There's simply no call for that kind of language; it added nothing to the points being made, and in fact distracted the poster from what had been a reasonably cogent argument up until that point.
If you reread the AC post, he/she makes several good points with some substance in the first four paragraphs - and then just lets rip with the profanity in the fifth paragraph, which, coincidentally, is where the entire post dissolves into a bunch of assertions with little to no rationale provided.
"Javascript is horrible." Oh, okay, then - why? "PHP is just as dreadful." Really, you don't say? Justify this assertion, please. "Every web developer who doesn't fit my narrow criteria is automatically rubbish." Glad you are still giving us some cogent points, then.
For what it's worth, I actually agree that "working" is different from "working well". One of my day jobs is as a member sitting on an interoperability panel at the moment, and you very quickly realize that something can meet the base level of "it does what it says" and fail miserably to be compatible and interoperable with other products.
But I don't need to descend to toilet language to explain this.
Cookies are not a protocol, they're HTTP Extension Headers with associated (bad) logic. I'm glad that Google's Security Researchers know and understand the difference.
... than "I don't like it."
HTTP has been repurposed far more than it should have been. Its lack of statefulness has resulted in horrible hacks like cookies and AJAX
AJAX? I can understand the cookie criticism, which TFA did a pretty good overview of, but AJAX's place is pretty much orthogonal to the issue of state. People resort to hacks *with* AJAX because browsers don't have a protocol with sessions, but even if we did, AJAX-like APIs and idioms would exist and continue to be used.
layout is still a huge hassle. CSS tries to bring in concepts from the publishing world, but they're not at all what we need for web layout
Layout -- even cross-platform layout -- is actually pretty easy if you use a subset of CSS positioning for the problems it's good at and tables for cases where it isn't.
A lot of people will claim otherwise, and they're wrong,
I predict a lot of the people who claim otherwise will do something you manage to neglect in their comment: provide justification for their statements. Perhaps you can try that your second time around instead of merely pounding your fist on the table about your personal opinion.
but JavaScript is a fucking horrible scripting language. It's even worse for writing anything significant.
Worse than what? How?
And no, it's absolutely nothing like Scheme (some JavaScript advocate always makes this stupid claim whenever the topic of JavaScript's horrid nature comes up).
It's enough like Scheme on at least two important fronts (functions as first class values, scoping rules) that it's false to say it's "nothing" like Scheme, and the related idioms that grow up around those common parts of the language are important to using it that it's a reasonable comparison, even with all the syntactic weight that JavaScript has and the missing features like macros and tail-call optimization.
the NoSQL movement, which arose solely because there are a lot of web "developers" who don't know how to use relational databases properly. I've seriously dealt with such "developers" and many of them didn't even know what indexes are!
A lack of programmer familiarity with the setup and querying of RDBMSs is a problem, and yes, set up properly, they can be pretty darn effective for a lot of situations some devs are using NoSQL solutions for, but saying the later are there "solely" for this reason is just as ignorant.
Tweet, tweet.
If a line starting with "From " is changed to start with ">From ", then one must also change ">From " to ">>From " and so on. Without this, mail gets mangled.
When reading mail, that transform must be undone. Note that even in cases where mail was stored without ">From " being changed to ">>From " it is likely less destructive to do unescaping than not. This is because humans seldom send email containing lines that start with ">From " but frequently send emails with lines starting with "From ".
Sure, the spec itself is retarded, but cookies have been around long enough that we, the developers, have learned their quirks and know how to avoid them. For starters, no sane coder would actually stuff several cookies full of 4096-byte data chunks. They are mostly used for storing a relatively small session ID, with the big data blobs stored server-side, where they are actually used anyway.
The cross-domain issue is indeed annoying for sites that do mass vhosts like "username.somedomain.com". I frankly have never used cross-domain cookies, when it is easier at both ends to pass the ID in a URL. I'm not saying they should completely disable this feature, but maybe turn it into an opt-in kind of thing, to be decided by the user. I consider it far more secure for such sites to use cross-domain JS includes (pull), rather than someone else's cookies (push).
-Billco, Fnarg.com
HTTP is a huge complex mountain of hacks on top of other hacks. We are just lucky that no more 'features' have been added to it for some time.
I have been thinking about defining a sane subset and calling it HTTP 0.2, but every time I look into it the sheer messiness of the HTTP standard and existing implementations is just too depressing to handle.
"When in doubt, use brute force." Ken Thompson