In <[🔎] pan.2011.01.22.16.44.41@gmail.com>, Camaleón wrote: >On Sat, 22 Jan 2011 10:11:39 -0600, Boyd Stephen Smith Jr. wrote: >> In <[🔎] pan.2011.01.22.15.39.38@gmail.com>, Camaleón wrote: >(...) > >>>Or just think about removable flash drive devices with portable versions >>>of the browsers; the owner logins into his online account (facebook, >>>gmail, whatever...), check the "remember me" option and keeps the full >>>session encrypted via https (not just the login part). Another user with >>>access to the flash drive could copy the whole content of the data and >>>re- use (hijack) the cookie that holds the session id. >>> >> Cookies that allow the user to bypass a security measure are often >> aggressively timed out and/or cleared server-side, preventing this from >> happening in practice unless the first user authorizes it. >> >> Physical access to the same hardware in a roughly 5 minute window also >> allows one to impersonate another user on a Kerberos network; that's not >> generally considered insecure. > >(...) > >Not "hardware" but "data". Please provide a scenario where they have access to the data, but not the hardware. Your example quoted above assumed they have access to the removable flash drive, which is hardware. >We only need the data to get the encrypted cookie and hijack the login >session. That's a bit different than having access to a computer and be >able to change the root's password. > >As per kerberos, I have not read any case of "session hijacking", I >thought it was a very sctrict (with high requirements) protocol :-? It is. Still, if you store your tickets (Kerberos term) on a flash drive, I have an approximately 5 minute window to steal the drive and authenticate to those services. (I think client and/or server can use a smaller window, but I'm not entirely sure.) NB: Both Kerberos and most web sites / applications are some way to log out / off which invalidates your cookie / ticket. Use of this feature likely prevents many of the attacks. It is even more dangerous if you store your (Kerberos) TGT there, since it can be used to authenticate against arbitrary services. After 5 minutes, the tickets are no longer valid. Tickets are very much like cookies that record an encrypted session id. They are created as part of successful authentication, but don't contain any sensitive information, and are exchanged in lieu of re-authenticating within the same session. NB: It's been a while since I dealt with Kerberos. Tickets may normally be written to disk encrypted; I know cookies are generally not. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.