Opened 6 years ago
Last modified 6 years ago
#1668 new enhancement
Channel-Bound Cookies Implementation in nginx
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.15.x |
Keywords: | Cc: | ||
uname -a: | Linux ip-172-31-43-3 4.14.72-68.55.amzn1.x86_64 #1 SMP Fri Sep 28 21:14:54 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: | nginx/1.12.1 |
Description
Hi,
I've just had a look at this post about a Chrome security vulnerability that allows to steal cookies, and since a possible mitigation to this technique of stealing cookies would be having TLS Channel-Bound Cookies (http://www.browserauth.net/channel-bound-cookies), I was wondering if there is any plan to implement this feature into nginx.
It would be particularly useful in a reverse-proxy configuration, so that nginx could validate the cookie before sending to the backed app.
Note:
See TracTickets
for help on using tickets.
It doesn't look like something nginx should / can do automatically, especially given
in the linked document. Though support to pass Token Binding key to the application might make sense, once it is supported by OpenSSL and browsers. It doesn't seem to be widely supported though, and an experimental implementation was recently removed from Chrome, see https://crbug.com/467312 and https://crbug.com/875046.