On Thu, 27 Apr 2000, John M Vinopal wrote:
> I am a bad hacker and watching your line. I see cookies A and B go to you.
> I set cookies A and B in my web browser. I am now you. You can try to
> permute the cookies with IP# (breaks on proxies) or Browser type, but all
> cookie based approaches believe in the value of something sent cleartext.
> Or use SSL.
Well, uh, duh. Any authentication sent in plain text (telnet, rsh,
ftp) is insecure. NO authentication scheme is secure unless it uses
encryption on the line. SSL is neccessary (but not sufficient) for secure
authentication by any means.
Those of us who have implemented secure web sites know that it is hard but
not impossible to do. There are headaches associated with just about
every aspect of it. The funny thing is, the major websites almost always
get it wrong! Many of them do not escape HTML in form input. They do not
validate form or URI input. They do all sorts of wanky things with
cookies.
My personal philosophy is to spend a lot of cycles on site security and
get rid of all problems that are legitimately on the server
side. Anything that triggers bugs in the browsers I leave up to the
browser vendors. In my current work, we have built in a system for
allowing and disallowing browser revisions as new stuff comes across on
BugTraq.
-jwb
