James A. Donald wrote:
--
James A. Donald:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
https and PKI worthless against such man in the
middle attacks. Have these bugs been addressed?
On 20 May 2005 at 23:21, Ben Laurie wrote:
Do they exist? Certainly any session ID I've ever had
a hand in has two properties that strongly resist
session fixation:
a) If a session ID arrives, it should already exist in
the database.
b) Session IDs include HMACs.
The way to beat session fixation is to issue a
privileged and impossible to predict session ID in
response to a correct login.
If, however, you grant privileges to a session ID on the
basis of a successful login, which is in fact the usual
practice, you are hosed. The normal programming model
creates a session ID, then sets variables and flags
associated with that session ID in response to forms
submitted by the user. To prevent session fixation, you
must create the session ID with unchangeable privileges
from the moment of creation.
Why? I suspect you are thinking of an attack other than session
fixation. How does your attack work?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
