Security Basics mailing list archives
Re: Newbie HTTPS/SSL question
From: jamesworld () intelligencia com
Date: Thu, 11 Dec 2003 13:14:40 -0600
Darragh, You allude to the answer to your question in your question: sessionDo a google search on http session state and get an understanding of that, then look at https session states.
Take a look at: http://jan.netcomp.monash.edu.au/ecommerce/session.html for a real brief, clean look at what happens under the hood. Short answer: no :-)Session keys are supposed to be unique. If not, you'd have a huge replay attack problem.
great question. it shows that you are actually thinking about the inner workings. Keep up the questions, both internal and to the list.
-James At 07:21 12/11/2003, Darragh O'Brien wrote:
Hi, Is it possible to tie a web page to a particular HTTPS session so that when requested it is always sent back encrypted with the server key associated with that session? That way, guessing the URL of a dynamically created page would not be enough since we don't have the client key to decrypt it? Or am I talking nonsense!? Thanks, Darragh --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Newbie HTTPS/SSL question Darragh O'Brien (Dec 11)
- Re: Newbie HTTPS/SSL question jamesworld (Dec 12)
- Re: Newbie HTTPS/SSL question Darragh O'Brien (Dec 15)
- Re: Newbie HTTPS/SSL question jamesworld (Dec 16)
- Re: Newbie HTTPS/SSL question Darragh O'Brien (Dec 15)
- Re: Newbie HTTPS/SSL question jamesworld (Dec 12)