On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell <ber...@fantasyfarm.com> wrote:

> As I understand it, this is only really a vulnerability in situations
> where a command to do something *precedes* the authentication to enable
> the command.  The obvious place where this happens, of course, is with
> HTTPS where the command [GET or POST] comes first and the authentication
> [be it a cookie or form vbls] comes later.

This last part is not really accurate - piggybacking the evil command
onto authentication that is later presented is certainly one possible
attack, but there are others, such as the Twitter POST attack and the
SMTP attack outlined by Wietse Venema (which doesn't work because of
implementation details, but _could_ work with a different

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to