WebApp Sec mailing list archives

Re: Session Fixation

From: Alex Russell <alex () netWindows org>
Date: Mon, 31 Mar 2003 10:16:20 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 31 March 2003 07:19 am, Information Security wrote:

I recently visited a site (I think it might have been my bank) where they
actually had an option for "additional security" where you could link the
session to your IP address.  I was impressed, and thought it was a great
option, but I'm not sure how many non-security folks would.


I'm afraid I fail to see the value. What if you're an AOL subscriber? Your 
"extra security" is then shared by some number of other millions of 
cluless, easily rootable users. Better yet, if the connection is encrypted 
with SSL (it is, isn't it?), you've already bought AT LEAST this much 
security (an attacker would have to comprimise your session key in order to 
spoof your session, not just something as trivial as an IP addr). The 
bank's "feature" is the security equivalent of a placebo.

This topic has been discussed at length on this list, and every time it is, 
the consensus is reached that "binding" some session identifier to an IP 
address is not only innefectual, it provides a false sense of security. 
This can almost be worse than providing poor security measures in the first 
place, as it (incorrectly) increaes one's trust in a system that provides 
no real benefit. IP is _designed_ to be unreliable, insecure transport. 
That's why it tool over the world. Trying to assign security significance 
to a protocol that was designed not to provide any is a miss-placed bet.

 But the nice
thing was that the communications--calling it an "additional security
feature" rather than something very technical.


Hrm, one might take them to task for even mis-labeling that. More 
appropriately it could be "additional feautre we thought would be neat, but 
provides no real security value. Use it if you want to feel better about 
not really doing anything about security."

Ok. I'll stop ranting now.

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+iGnYoV0dQ6uSmkYRAr2uAKCPZfN3nRPGqRZTt9No1IbgE2IS4gCgu09Y
yAyEUa/7Et/jm5AMl+kw/+E=
=7d14
-----END PGP SIGNATURE-----

Current thread:

Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
  - Re: Session Fixation Alex Russell (Mar 31)
    - Re: Session Fixation HarryM (Mar 31)
    - Re: Session Fixation Alex Russell (Mar 31)
    - Re: Session Fixation HarryM (Mar 31)
- RE: Session Fixation Information Security (Mar 31)
  - Re: Session Fixation Alex Russell (Mar 31)
- RE: Session Fixation Noam Eppel (Mar 31)