Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

[Kevin Fu <fubob () MIT EDU>]

> if you (the original author) really want to beef this up, i suggest doing
> a large scale statistical analysis of the session IDs and cookies,
> illustrate some predictive properties (ie if its using gettimeofday(),
> everyone's favorite seed for their PRNG), and put together some demos. you
> may be on to something, as it really does rely on some implicit trust that
> the session values are generated randomly.

Something along these lines is already underway.  Volunteers can
upload Netscape-style cookies on http://cookies.lcs.mit.edu/.  The
cookies are then stored in an SQL database for pattern matching and
reverse engineering.  Volunteers are welcome to help make the site
work for cookies from other browsers such as MSIE and Konquerer.  We
have plans for HTTPS and HTTP proxies so that volunteers can donate
the tastier ephemeral RAM-only cookies too.

At the USENIX security symposium, we explained how we broke many
insecure authentication schemes including schemes used at WSJ.com,
SprintPCS.com, FatBrain.com, highschoolalumni.com, and others.  Of the
twenty-seven sites we investigated, we weakened the client
authentication on two systems, gained unauthorized access on eight,
and extracted the secret key used to mint authenticators from one.

Anyhow, read the tech report and privacy policy on cookies.lcs.mit.edu
if you're interested.

--------
Kevin E. Fu (fubob () mit edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html