[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's talk about HTTPS Everywhere

On Wed, 19 Jan 2011 17:50:58 +0000 (UTC)
Camaleón <noelamac@gmail.com> wrote:

> On Wed, 19 Jan 2011 18:07:36 +0100, tv.debian@googlemail.com wrote:

...

> > It is not only the data enclosed inside the cookie which are at risk
> > here, but the entire session on the website you are logged in. Say you
> > log into your "friendface" account, and someone near your catch your
> > unencrypted session cookie, then he is YOU on YOUR "friendface"
> > account...
> 
> That sounds like bad programming or a buggy site. There are methods to 
> prevent such attacks on the server side that involves no encrypted 
> sessions, but sometimes it is easier (and cheaper) for companies to rely 
> on completely encrypted sessions and not implement another 
> countermeasures.

I'm curious - how can one completely guard against a MITM attack
without using encryption?

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: