WebApp Sec mailing list archives
RE: How to protect against cookie stealing?
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 25 Jul 2003 11:49:35 +0200
-----Original Message----- From: .:[ Death Star]:. [mailto:deathstar () optonline net]
Mr. Dawes,
If the website is a company private site that only needs to be accessed by customers, employees, and partners, and the integrity of the information is a top priority then using such thing as ActiveX is important at the time being.
I agree. Internal sites that have control over their clients (to the extent that they can dictate the network architecture, and the existence and configuration of proxies, etc) are in a much stronger position, and CAN implement source IP restrictions. Internet sites that need to offer services to the public at large, and cannot dictate ISP etc, are worse off.
Another thing, if we to eliminate things like proxy's that provide anonymity then we are destroying the only thing left out there to protect the privacy of the user.
This argument is irrelevant - we are IDENTIFYING the user when they log on to our site, so privacy concerns are inconsequential. Talking about eliminating proxies in general is a topic for a different thread, I think.
A new solution needs to take place; for example, using smart cards in the identification process when a user wants to buy something online (just like the Blue card from American Express).
An SSL-based (client certificate) solution will certainly be an improvement. Then the server will be able to use the SSL CN or DN as the "session identifier", and that would eliminate the problem of session hijacking.
There will always be proxies, there will always be spoofers, and there will always be uber haxors, and no matter what we do, until we have the actual access control generated physically from the user station there will always be session hijacking. Regards, Tarek.
As you say, the SSL client certificate is handled outside of the browser and is non-hijackable (apart from spyware or other locally executed programs) and thus "physically from the user station". Looking forward to that day when client certs are ubiquitous :-) Rogan Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- RE: How to protect against cookie stealing?, (continued)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
- Re: How to protect against cookie stealing? Ken Anderson (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 28)
- RE: How to protect against cookie stealing? PortSwigger (Jul 29)