[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's talk about HTTPS Everywhere

On Sat, 22 Jan 2011 10:11:39 -0600, Boyd Stephen Smith Jr. wrote:

> In <[🔎] pan.2011.01.22.15.39.38@gmail.com>, Camaleón wrote:

(...)

>>Or just think about removable flash drive devices with portable versions
>>of the browsers; the owner logins into his online account (facebook,
>>gmail, whatever...), check the "remember me" option and keeps the full
>>session encrypted via https (not just the login part). Another user with
>>access to the flash drive could copy the whole content of the data and
>>re- use (hijack) the cookie that holds the session id.
> 
> Cookies that allow the user to bypass a security measure are often
> aggressively timed out and/or cleared server-side, preventing this from
> happening in practice unless the first user authorizes it.
> 
> Physical access to the same hardware in a roughly 5 minute window also
> allows one to impersonate another user on a Kerberos network; that's not
> generally considered insecure.

(...)

Not "hardware" but "data".

We only need the data to get the encrypted cookie and hijack the login 
session. That's a bit different than having access to a computer and be 
able to change the root's password.

As per kerberos, I have not read any case of "session hijacking", I 
thought it was a very sctrict (with high requirements) protocol :-?

Greetings,

-- 
Camaleón
Reply to: