RE: How to protect against cookie stealing?

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

> -----Original Message-----
> From: .:[ Death Star]:. [mailto:deathstar () optonline net] 

> Mr. Dawes,

> If the website is a company private site that only needs to 
> be accessed
> by customers, employees, and partners, and the integrity of the
> information is a top priority then using such thing as ActiveX is
> important at the time being. 

I agree. Internal sites that have control over their clients (to the extent
that they can dictate the network architecture, and the existence and
configuration of proxies, etc) are in a much stronger position, and CAN
implement source IP restrictions.

Internet sites that need to offer services to the public at large, and
cannot dictate ISP etc, are worse off.

> Another thing, if we to eliminate things like proxy's that provide
> anonymity then we are destroying the only thing left out there to
> protect the privacy of the user. 

This argument is irrelevant - we are IDENTIFYING the user when they log on
to our site, so privacy concerns are inconsequential. Talking about
eliminating proxies in general is a topic for a different thread, I think.

> A new 
> solution needs
> to take place; for example, using smart cards in the identification
> process when a user wants to buy something online (just like the Blue
> card from American Express). 

An SSL-based (client certificate) solution will certainly be an improvement.
Then the server will be able to use the SSL CN or DN as the "session
identifier", and that would eliminate the problem of session hijacking.

> There will always be proxies, there will
> always be spoofers, and there will always be uber haxors, and 
> no matter
> what we do, until we have the actual access control generated 
> physically
> from the user station there will always be session hijacking.
>
> Regards,
>
> Tarek.

As you say, the SSL client certificate is handled outside of the browser and
is non-hijackable (apart from spyware or other locally executed programs)
and thus "physically from the user station".

Looking forward to that day when client certs are ubiquitous :-)

Rogan

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.