[3799] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (David B. Donahue)
Fri Dec 13 17:45:15 1996
Date: Fri, 13 Dec 1996 11:39:44 -0800
From: "David B. Donahue" <ddonahue@emf.net>
Reply-To: ddonahue@emf.net
To: David Ray <daver@idiom.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
David Ray wrote:
>
> At 12:24 AM 12/12/96, Edwin Ng wrote:
> > If the service provider's server stores your password in your cookie file,
> > then you should stop using its services. Storing login passwords in a
> > cookie file is a big security risk. I still firmly believe typing in the
> > password and login name over and over again....
>
> I agree, if they store the password in clear text, and I hope that nobody
> would be stupid enough do that. More likely they would encrypt it using a
> sufficiently strong encryption algorythm like DES. If sensitive information
> is sufficiently encrypted then it's safe to be in the cookie.
I would have to disagree, even if a password were stored in a cookie
using the
strongest encryption (like RSA with 3072-bit keys), a hacker with the
encrypted
value from a cookie could simply put the same encrypted value in a
cookie on his
own machine and have full access to what the password protected. The
remote server
would requested the stolen and copied encrypted cookie, decrypt it and
check the
password.
This is esentially the same procedure it would follow when using it
normally for
the real user.
In this way, even though the underlying password wasn't read-able in the
cookie,
because all cookie passwords (in this config) are decrypted the same
way, the
encypted password simply becomes the password.
So it's not any more secure than just storing the password in straight
text.
-David Donahue
------------------------------------------------
Disclaimer: My views are my own and may or may not represent anyone
else's or any
company I may or may not be working for...
