James A. Donald wrote:
| Adversary accesses web site as if about to log in, gets
| a session ID. Then supplies false information to
| someone else's browser, causes that browser on some one
| else's computer to use that session ID. Someone else
| logs in with hacker's session ID, and now the
--
James A. Donald wrote:
Adversary accesses web site as if about to log in,
gets a session ID. Then supplies false information
to someone else's browser, causes that browser on
some one else's computer to use that session ID.
Someone else logs in with hacker's session ID, and
James A. Donald wrote:
--
James A. Donald:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
--
James A. Donald wrote:
The way to beat session fixation is to issue a
privileged and impossible to predict session ID in
response to a correct login.
If, however, you grant privileges to a session ID on
the basis of a successful login, which is in fact
the usual practice,
In message [EMAIL PROTECTED], James A. Donald writes:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
First, you mean the Web PKI, not PKI in general.
The next part of this is circular
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
asymmetric cryptography has a pair of keys ... the other of the key-pair
decodes what has been encoding by one of
--
James A. Donald:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
https and PKI
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
all of them may have been less than expected ... the comoningly
recognized SSL certificate issuers (that have their
James A. Donald wrote:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
However, the session fixation bugs
http://www.acros.si/papers/session_fixation.pdf make
https and PKI worthless