[3804] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (David Ray)
Sat Dec 14 13:22:59 1996
Date: Sat, 14 Dec 1996 08:37:38 -0800
To: www-security@ns2.rutgers.edu
From: daver@idiom.com (David Ray)
Cc: ddonahue@emf.net
Errors-To: owner-www-security@ns2.rutgers.edu
Point well taken, I agree that a hacker could re-use an encrypted piece of
information by copying it from the cookie file on one machine to a cookie
file on another.
Perhaps the information could be safer if it would only be used after some
kind of authentication, such as a secure login. Another example, an
encrypted cookie could contain sensitive information as well as the
time/date of the period it would be valid for. Or the encrypted data could
contain IP address or some other identifying feature that the hacker was
unaware of.
I think there is a solution that depends on the specifics of the data and
how it could be used. I'm confident that sensitive information in the
cookie could be made secure by taking sufficient precautions.
-dave
At 11:39 AM 12/13/96, David B. Donahue wrote:
> David Ray wrote:
> >
> > At 12:24 AM 12/12/96, Edwin Ng wrote:
> > > If the service provider's server stores your password in your cookie file,
> > > then you should stop using its services. Storing login passwords in a
> > > cookie file is a big security risk. I still firmly believe typing in the
> > > password and login name over and over again....
> >
> > I agree, if they store the password in clear text, and I hope that nobody
> > would be stupid enough do that. More likely they would encrypt it using a
> > sufficiently strong encryption algorythm like DES. If sensitive information
> > is sufficiently encrypted then it's safe to be in the cookie.
>
> I would have to disagree, even if a password were stored in a cookie
> using the
> strongest encryption (like RSA with 3072-bit keys), a hacker with the
> encrypted
> value from a cookie could simply put the same encrypted value in a
> cookie on his
> own machine and have full access to what the password protected. The
> remote server
> would requested the stolen and copied encrypted cookie, decrypt it and
> check the
> password.
>
> This is esentially the same procedure it would follow when using it
> normally for
> the real user.
>
> In this way, even though the underlying password wasn't read-able in the
> cookie,
> because all cookie passwords (in this config) are decrypted the same
> way, the
> encypted password simply becomes the password.
>
> So it's not any more secure than just storing the password in straight
> text.
>
> -David Donahue
>
> ------------------------------------------------
> Disclaimer: My views are my own and may or may not represent anyone
> else's or any
> company I may or may not be working for...
