Re: Re: Cookie Security

[Audrius <organzarama () gmail com>]

Elliott, I have found in my archive what I wanted to explain you (but
my English isn't good enough for word fight) and why your method will
not protect from packets sniffing. It's a 6 min. video on defeating
remote-exploit.com forum client side security. Security implementation
on forum is quite similar to your method and video shows how to defeat
it by using network sniffers.

http://rapidshare.com/files/112803255/Sniff_Forum_Password.rar.html

Just choose "Free", download it and learn. :)

Audrius

>  "If I'll get a users password MD5 from cookies,"
>  If that information is made available to an attacker, a level of security
> has been bypassed already...
>  I am protecting from network eavesdropping (packet sniffers) here.
>
>  "It means I must to find a way how to get cookies."
>  All web applications suffer this problem, even over SSL. This is NOT what i
> am trying to fix here.
>
>  "Actually I do not see any advantages in your method. I think that tokens
> can give the same functionality"
>  "Both methods are prone to same attacks"
>  Both not true. Tokens can be sniffed and used. My method stops this. That
> is the advantage.
>
>
>  "I think you also must concentrate more on other parts of security too"
>  I agree, however, any chain is only as strong as it's weakest link... right
> now, that is this issue!
>  I have analyzed all aspects of the system including client OS, browser,
> user awareness (all of which we are lucky enough to manage also) :-)
>  Priority has been given to this flaw.