--
James A. Donald wrote:
> > Adversary accesses web site as if about to log in,
> > gets a session ID. Then supplies false information
> > to someone else's browser, causes that browser on
> > some one else's computer to use that session ID.
> > Someone else logs in with hacker's session
James A. Donald wrote:
| Adversary accesses web site as if about to log in, gets
| a session ID. Then supplies false information to
| someone else's browser, causes that browser on some one
| else's computer to use that session ID. Someone else
| logs in with hacker's session ID, and now the ad
--
James A. Donald wrote:
> > The way to beat session fixation is to issue a
> > privileged and impossible to predict session ID in
> > response to a correct login.
> >
> > If, however, you grant privileges to a session ID on
> > the basis of a successful login, which is in fact
> > the usu
James A. Donald wrote:
--
James A. Donald:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
ht
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
asymmetric cryptography has a pair of keys ... the other of the key-pair
decodes what has been encoding by one of them
In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
>--
>PKI was designed to defeat man in the middle attacks
>based on network sniffing, or DNS hijacking, which
>turned out to be less of a threat than expected.
>
First, you mean "the Web PKI", not PKI in general.
The next part of this i
--
James A. Donald:
> > PKI was designed to defeat man in the middle attacks
> > based on network sniffing, or DNS hijacking, which
> > turned out to be less of a threat than expected.
> >
> > However, the session fixation bugs
> > http://www.acros.si/papers/session_fixation.pdf make
> > ht
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
all of them may have been less than expected ... the comoningly
recognized SSL certificate issuers (that have their pu
James A. Donald wrote:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
https and PKI worthless aga