[17239] in cryptography@c2.net mail archive
Re: What happened with the session fixation bug?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri May 20 22:45:18 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 20 May 2005 23:21:35 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com, cypherpunks@lne.com
In-Reply-To: <427CCA9B.29132.760A1FC@localhost>
James A. Donald wrote:
> --
> PKI was designed to defeat man in the middle attacks
> based on network sniffing, or DNS hijacking, which
> turned out to be less of a threat than expected.
>
> However, the session fixation bugs
> http://www.acros.si/papers/session_fixation.pdf make
> https and PKI worthless against such man in the middle
> attacks. Have these bugs been addressed?
Do they exist? Certainly any session ID I've ever had a hand in has two
properties that strongly resist session fixation:
a) If a session ID arrives, it should already exist in the database.
b) Session IDs include HMACs.
Session fixation is defeated by either of these. Modulo insider attacks,
of course. :-)
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
