[4691] in WWW Security List Archive
Re: SecureID alternatives?
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Thu Mar 6 12:59:11 1997
Date: Thu, 06 Mar 1997 16:13:58 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: Vin McLellan <vin@shore.net>
CC: jch@vasco.com, www-security@ns2.rutgers.edu, tel1dvw@is.ups.com,
aisecur!KClancy@bpd.treas.gov, adam@homeport.org
Errors-To: owner-www-security@ns2.rutgers.edu
Vin McLellan wrote:
<snip>
> (I'm confused by your statement that cookies, tags, or digests
> "without ssl AND a 'short' timeout....are pretty useless...." Since SSL
> gets established first, I don't see any threat to cookie, etc.,
> subsequently transmitted through the secure SSL pipe.)
What I (confusely) meant is that any trick to re-authenticate users
through cookies, hidden-tag and so on, if it's NOT under ssl umbrella
is unsecure. Then I talked about FW-1 http auth through secur-id as an
example of this (it uses the UU encoded basic auth scheme of http 1.0
and it DOESN'T allow SSL sessions, unless you bought release 3.0).
Roberto Galoppini
rgaloppini@tim.it
"Re-Speak, friend, and re-enter"
