Am 28.12.2012 20:06, schrieb Robert Moskowitz: > Harald, > > I am beginning to see what you are doing; through some foggy glasses. Still > need to read more, and today was not a > reading day. I am struggling to understand the attack space. > > How can the user submit their cookie over an non-ssl connection when the > server redirects everything to https? The > only senario I have come up with is with the login screen in front of them, > the user changes the method to http, > enters in their data and sends?
because the browser sends cookies with the HTTP-HEADER at the first connect the redirect from the server is also a header of the RESPONSE at this time the cookie was already sent unencrypted
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
