RE: (robust web apps) Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

> -----Original Message-----
> From: Florian Weimer [mailto:fw () deneb enyo de] 
>
> At some point, you simply have to face that it's impossible to write
> robust web applications.  There are too many bugs and too many
> questionable practices users have grown accustomed to, and have to be
> supported.

I simply can't agree with you. That's what RFCs exist for. The answers
are out there and I fully believe we're capable of finding them. Users
expectations evolve over time. Education is part of our task.
 
> What's worse is that browsers are *required* to leak plenty of data
> between sites of varying trust.  You can't build a reliable
> application on top of this foundation.

Well now you have a point here which still amazes me. The primary bank
I use finally gets SSL. One of the top 10 banks in the world and ever
time I click on "billpay" they send me to one of checkfree's URLs and
different SSL cert, etc. So now they finally frame it so the SSL is valid
and I simply see a lot of requests and cookies from an invalid domain.

:)

But there is a better answer out there. I think you mean "right now"
with "this technology" in which case I'm still not sure I've thought
through everything enough to agree. But I am a slow thinker anyway...

Arian



The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.