WebApp Sec mailing list archives
RE: (robust web apps) Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 23 Dec 2004 10:21:49 -0600
-----Original Message----- From: Florian Weimer [mailto:fw () deneb enyo de] At some point, you simply have to face that it's impossible to write robust web applications. There are too many bugs and too many questionable practices users have grown accustomed to, and have to be supported.
I simply can't agree with you. That's what RFCs exist for. The answers are out there and I fully believe we're capable of finding them. Users expectations evolve over time. Education is part of our task.
What's worse is that browsers are *required* to leak plenty of data between sites of varying trust. You can't build a reliable application on top of this foundation.
Well now you have a point here which still amazes me. The primary bank I use finally gets SSL. One of the top 10 banks in the world and ever time I click on "billpay" they send me to one of checkfree's URLs and different SSL cert, etc. So now they finally frame it so the SSL is valid and I simply see a lot of requests and cookies from an invalid domain. :) But there is a better answer out there. I think you mean "right now" with "this technology" in which case I'm still not sure I've thought through everything enough to agree. But I am a slow thinker anyway... Arian The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: (robust web apps) Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Evans, Arian (Dec 28)