Security Basics mailing list archives
Re: Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Mon, 5 May 2008 22:33:48 +0300
Elliott, I have found in my archive what I wanted to explain you (but my English isn't good enough for word fight) and why your method will not protect from packets sniffing. It's a 6 min. video on defeating remote-exploit.com forum client side security. Security implementation on forum is quite similar to your method and video shows how to defeat it by using network sniffers. http://rapidshare.com/files/112803255/Sniff_Forum_Password.rar.html Just choose "Free", download it and learn. :) Audrius
"If I'll get a users password MD5 from cookies," If that information is made available to an attacker, a level of security has been bypassed already... I am protecting from network eavesdropping (packet sniffers) here. "It means I must to find a way how to get cookies." All web applications suffer this problem, even over SSL. This is NOT what i am trying to fix here. "Actually I do not see any advantages in your method. I think that tokens can give the same functionality" "Both methods are prone to same attacks" Both not true. Tokens can be sniffed and used. My method stops this. That is the advantage. "I think you also must concentrate more on other parts of security too" I agree, however, any chain is only as strong as it's weakest link... right now, that is this issue! I have analyzed all aspects of the system including client OS, browser, user awareness (all of which we are lucky enough to manage also) :-) Priority has been given to this flaw.
Current thread:
- Re: Re: Re: Cookie Security ellukicq (May 01)
- <Possible follow-ups>
- Re: Re: Cookie Security Audrius (May 05)
- Re: Cookie Security Orlin Gueorguiev (May 05)
- RE: Cookie Security Marco M. Morana (May 06)
- Re: Cookie Security Orlin Gueorguiev (May 08)
- RE: Cookie Security Marco M. Morana (May 06)