On Wed, Jan 19, 2011 at 02:47:11PM +0000, Camaleón wrote: > On Wed, 19 Jan 2011 07:17:58 -0600, Dave Sherohman wrote: > > When dealing with sites which use session cookies, "public navigation" > > *is* "sensitive data", as every request sent will include the cookie(s) > > which identify you and an attacker who gains access to that data would > > be able to use those cookies to impersonate you for the lifetime of that > > session, as demonstrated by the recent uproar over FireSheep. > > Data stored in cookies is not what I understand for "sensitive". What > kind of information do you think are cookies managing?
As I said earlier, websites which use persistent sessions store the session id in a cookie. While this cookie does not contain any data which is meaningful outside of the context of your persistent session, it is somewhat sensitive in that an attacker would be able to impersonate you by cloning your session cookie. This would then allow them to create or access content on the site which issued the cookie as if they were you, potentially gaining access to more conventionally sensitive information or fraudulently posting from your accout, for the remaining lifetime of the session. Some sites do associate the originating IP address with the session data to help protect against session hijacking, but this is not overly widespread and, even when it is employed, it has issues with proxies (which can cause multiple users to appear on a single address) or reverse proxies (which can cause a single user to appear on multiple addresses), so https really is the only surefire way to prevent it. -- Dave Sherohman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110120093603.gg3...@sherohman.org
