[3811] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Mon Dec 16 07:18:41 1996
Date: Mon, 16 Dec 1996 11:37:24 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: Steven Bellovin <smb@research.att.com>
CC: "David W. Morris" <dwm@xpasc.com>, "David B. Donahue" <ddonahue@emf.net>,
David Ray <daver@idiom.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> On Fri, 13 Dec 1996, David B. Donahue wrote:
>
> > In this way, even though the underlying password wasn't read-able in
> the
> > cookie,
> > because all cookie passwords (in this config) are decrypted the same
> > way, the
> > encypted password simply becomes the password.
>
Steven Bellovin wrote:
>
> If the cookie file, or lines of it, are stored encrypted under some
key,
> it's reasonably safe from theft, since that encrypted form is not transmitted.
Me:
What do you think about reducing the 'path of trust' from end-to-end
to user-to-browser ? A plug-in or whatever else you like could manage
passwords kept in the cookies file, bringing part of the security
mechanism at browser level, for example using challenge-reponse.
Of course software browser-based should be trusted.
Roberto Galoppini
rgaloppini@tim.it
"Web wasn't supposed to be safe, like everything else"
