On 12 Jun 2003 at 16:25, Steve Schear wrote: 


This flaw is massive, and the biggest villain is the server
side code created for Apache.

When you login to your bank, your e-gold account, your 
stockbroker, or your domain registrar, someone else can share 
your login.

It is a security design error in the development environments 
for active server pages (all of them) .  Every such development 
environment will have to be changed, and every login script 
written for existing environments needs to have some kind of 
workaround cobbled into it.

The ideal solution is to change the development environment so 
that your session identifier is linked to the shared symmetric 
key used in any https conversation during that session, which 
requires tight coupling of https and development environments 
for active server pages.

In the long term, https must be amended to have a concept of 
login and session, and make that sessionID available to the 
server side coding environments. 

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to