[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's talk about HTTPS Everywhere

On Sat, 22 Jan 2011 11:13:31 -0600, Boyd Stephen Smith Jr. wrote:

> In <[🔎] pan.2011.01.22.16.44.41@gmail.com>, Camaleón wrote:

>>> Physical access to the same hardware in a roughly 5 minute window also
>>> allows one to impersonate another user on a Kerberos network; that's
>>> not generally considered insecure.
>>
>>(...)
>>
>>Not "hardware" but "data".
> 
> Please provide a scenario where they have access to the data, but not
> the hardware.  Your example quoted above assumed they have access to the
> removable flash drive, which is hardware.

(...)

I meant, the hardware itself is irrelevant for the case. It can be on a 
flash stick, on external drive, on a notebook or even stored online. Once 
you get the source (the encrypted cookie with the session id) the server 
does not make further validations. You don't know what is the content of 
the session id but you can use it anyway.

I dunno how easily by-passable is a kerberos based security. You say "it 
is" (or "it can be") and I have to trust you as I have no experience with 
this auth method.

Greetings,

-- 
Camaleón
Reply to: