On Thu, 20 Jan 2011 03:36:03 -0600, Dave Sherohman wrote: > On Wed, Jan 19, 2011 at 02:47:11PM +0000, Camaleón wrote: >> On Wed, 19 Jan 2011 07:17:58 -0600, Dave Sherohman wrote: >> > When dealing with sites which use session cookies, "public >> > navigation" *is* "sensitive data", as every request sent will include >> > the cookie(s) which identify you and an attacker who gains access to >> > that data would be able to use those cookies to impersonate you for >> > the lifetime of that session, as demonstrated by the recent uproar >> > over FireSheep. >> >> Data stored in cookies is not what I understand for "sensitive". What >> kind of information do you think are cookies managing? > > As I said earlier, websites which use persistent sessions store the > session id in a cookie. While this cookie does not contain any data > which is meaningful outside of the context of your persistent session, > it is somewhat sensitive in that an attacker would be able to > impersonate you by cloning your session cookie. This would then allow > them to create or access content on the site which issued the cookie as > if they were you, potentially gaining access to more conventionally > sensitive information or fraudulently posting from your accout, for the > remaining lifetime of the session. > > Some sites do associate the originating IP address with the session data > to help protect against session hijacking, but this is not overly > widespread and, even when it is employed, it has issues with proxies > (which can cause multiple users to appear on a single address) or > reverse proxies (which can cause a single user to appear on multiple > addresses), so https really is the only surefire way to prevent it.
(as I just have mentioned to Celejar, these problems do exist but they're not "exclusively" solved with https encryption) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.20.15.34...@gmail.com