Re: Let's talk about HTTPS Everywhere
On Sat, 22 Jan 2011 10:11:39 -0600, Boyd Stephen Smith Jr. wrote:
> In <[🔎] pan.2011.01.22.15.39.38@gmail.com>, Camaleón wrote:
(...)
>>Or just think about removable flash drive devices with portable versions
>>of the browsers; the owner logins into his online account (facebook,
>>gmail, whatever...), check the "remember me" option and keeps the full
>>session encrypted via https (not just the login part). Another user with
>>access to the flash drive could copy the whole content of the data and
>>re- use (hijack) the cookie that holds the session id.
>
> Cookies that allow the user to bypass a security measure are often
> aggressively timed out and/or cleared server-side, preventing this from
> happening in practice unless the first user authorizes it.
>
> Physical access to the same hardware in a roughly 5 minute window also
> allows one to impersonate another user on a Kerberos network; that's not
> generally considered insecure.
(...)
Not "hardware" but "data".
We only need the data to get the encrypted cookie and hijack the login
session. That's a bit different than having access to a computer and be
able to change the root's password.
As per kerberos, I have not read any case of "session hijacking", I
thought it was a very sctrict (with high requirements) protocol :-?
Greetings,
--
Camaleón
Reply to: