[cap-talk] SSL protection racket
James A. Donald
jamesd at echeque.com
Wed Feb 27 15:29:42 EST 2008
James A. Donald
>> At present, if you are logged in to the
>> BankOfAmerica.com, and while logged in you browse to
>> FreePorn.com, the script in the web page FreePorn.com
>> can perform operations on your account as you.
Mike Samuel wrote:
> If so, isn't that more a problem with cookies than
> with http/https?
That we use cookies for security is itself a problem -
which manifests most often and most seriously as session
fixation attacks.
We should not have an architecture that requires each
web site implementor to separately implement a part of
what is in fact a crypto protocol - it indicates that
something is missing from our architecture.
Cookies are doing the work of a cryptographic protocol,
(consider such crypto protocol demands as that cookies
be unpredictable and that they be replaced at a certain
point in the login) which is a manifestation of the fact
that the layer model of security does not work - that a
cryptographic layer does not in itself protect the other
layers. For the layer model to work requires that the
rest of the software adapt its behavior to the security
characteristics of the layer, which does not happen, let
alone the users adapting their behavior to the security
characteristics of the layer.
More information about the cap-talk
mailing list