-- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected.
However, the session fixation bugs http://www.acros.si/papers/session_fixation.pdf make https and PKI worthless against such man in the middle attacks. Have these bugs been addressed?
Do they exist? Certainly any session ID I've ever had a hand in has two properties that strongly resist session fixation:
a) If a session ID arrives, it should already exist in the database.
b) Session IDs include HMACs.
Session fixation is defeated by either of these. Modulo insider attacks, of course. :-)
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
