Just turning the random number into a session id should sufficient and
we can forget the MD5 altogether. But if someone figures out the seed
and can guess future subsequent numbers, then they can guess future
session ids.
By using a hashing algorithm - it makes it impossible to guess what
First, note that any session-id provides only the flimsiest sort of
security. Proper authentication was described a long time ago:
Needham, Roger; Schroeder, Michael (December 1978), Using encryption
for authentication in large networks of computers., *Communications of the
ACM* *21* (12):
I'd like to re-raise an issue, since I didn't get too much of a
response, originally. Who can I talk to to lobby to get the default
behavior of using MD5 session token hashes to change? If you weren't
aware of it, there has been a recent and highly-publicized breaking of
SSL, by creating a
you don't need to lobby, simply create a patch in Bugzilla
Minoo Hamilton wrote:
I'd like to re-raise an issue, since I didn't get too much of a
response, originally. Who can I talk to to lobby to get the default
behavior of using MD5 session token hashes to change? If you weren't
aware of
Filip Hanik - Dev Lists wrote:
you don't need to lobby, simply create a patch in Bugzilla
Although it is likely to get ignored / end up as WONTFIX. I don't see
what the security issue is here. How does an MD5 collisions affect the
security of the session ID?
Mark
Minoo Hamilton wrote:
I'd
How would you reverse a session-id from an MD5 hash? The exploit used to
forge an SSL certificate will not help you. The MD5 exploit is irrelevant to
this particular usage.
Lots of links and discussion:
http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
If you are connecting to
Perhaps, I am making a big deal over a small theoretical issue, but I
don't think I am. In my mind, if you're ever in a situation to
guess/predict/brute force a valid and current session token, there are a
range of session hijacking possibilities that are all potentially bad.
If you'd really
Preston L. Bannister wrote:
How would you reverse a session-id from an MD5 hash? The exploit used to
forge an SSL certificate will not help you. The MD5 exploit is irrelevant to
this particular usage.
Lots of links and discussion:
Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
you don't need to lobby, simply create a patch in Bugzilla
Although it is likely to get ignored / end up as WONTFIX. I don't see
what the security issue is here. How does an MD5 collisions affect the
security of the session ID?
The only
It is probably due to old code which works just fine when SHA might not
have been easily available in all JVM's. (back in 2002?)
So a quick recap for folks ... a session id is generated by
1) Getting a random number
2) Hashing it
3) Converting the hashed bytes to something text [base64] so they
10 matches
Mail list logo
