WebApp Sec mailing list archives
Re: Session Fixation
From: Alex Russell <alex () netWindows org>
Date: Mon, 31 Mar 2003 10:16:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 31 March 2003 07:19 am, Information Security wrote:
I recently visited a site (I think it might have been my bank) where they actually had an option for "additional security" where you could link the session to your IP address. I was impressed, and thought it was a great option, but I'm not sure how many non-security folks would.
I'm afraid I fail to see the value. What if you're an AOL subscriber? Your "extra security" is then shared by some number of other millions of cluless, easily rootable users. Better yet, if the connection is encrypted with SSL (it is, isn't it?), you've already bought AT LEAST this much security (an attacker would have to comprimise your session key in order to spoof your session, not just something as trivial as an IP addr). The bank's "feature" is the security equivalent of a placebo. This topic has been discussed at length on this list, and every time it is, the consensus is reached that "binding" some session identifier to an IP address is not only innefectual, it provides a false sense of security. This can almost be worse than providing poor security measures in the first place, as it (incorrectly) increaes one's trust in a system that provides no real benefit. IP is _designed_ to be unreliable, insecure transport. That's why it tool over the world. Trying to assign security significance to a protocol that was designed not to provide any is a miss-placed bet.
But the nice thing was that the communications--calling it an "additional security feature" rather than something very technical.
Hrm, one might take them to task for even mis-labeling that. More appropriately it could be "additional feautre we thought would be neat, but provides no real security value. Use it if you want to feel better about not really doing anything about security." Ok. I'll stop ranting now. - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+iGnYoV0dQ6uSmkYRAr2uAKCPZfN3nRPGqRZTt9No1IbgE2IS4gCgu09Y yAyEUa/7Et/jm5AMl+kw/+E= =7d14 -----END PGP SIGNATURE-----
Current thread:
- Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)