[13619] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (tom st denis)
Fri Jun 13 15:12:08 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 13 Jun 2003 11:16:26 -0700 (PDT)
From: tom st denis <tomstdenis@yahoo.com>
To: cryptography@metzdowd.com
In-Reply-To: <3EE9ACE0.22197.A992AA7@localhost>
--- "James A. Donald" <jamesd@echeque.com> wrote:
> --
> On 12 Jun 2003 at 16:25, Steve Schear wrote:
> http://www.acros.si/papers/session_fixation.pdf
>
> Wow.
>
> This flaw is massive, and the biggest villain is the server
> side code created for Apache.
You really lack some fundamental understanding.
https uses a secure private link to create a private http session. It
has NOTHING todo with authentication nor identity.
For example, when you first login to say yahoo [for email] you're on
https. Even before yahoo knows who you are. Think of a verbal
handshake in the "get smart" cone of silence..
The fact that people randomly give away *their* secrets doesn't mean
the system is flawed. It means the people are ignorant.
Tom
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
