Re: Let's talk about HTTPS Everywhere
On Wed, 19 Jan 2011 17:50:58 +0000 (UTC)
Camaleón <noelamac@gmail.com> wrote:
> On Wed, 19 Jan 2011 18:07:36 +0100, tv.debian@googlemail.com wrote:
...
> > It is not only the data enclosed inside the cookie which are at risk
> > here, but the entire session on the website you are logged in. Say you
> > log into your "friendface" account, and someone near your catch your
> > unencrypted session cookie, then he is YOU on YOUR "friendface"
> > account...
>
> That sounds like bad programming or a buggy site. There are methods to
> prevent such attacks on the server side that involves no encrypted
> sessions, but sometimes it is easier (and cheaper) for companies to rely
> on completely encrypted sessions and not implement another
> countermeasures.
I'm curious - how can one completely guard against a MITM attack
without using encryption?
Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: