[cap-talk] Security considerations for cookies
Toby Murray
toby.murray at comlab.ox.ac.uk
Tue Feb 23 00:58:26 PST 2010
On 23 February 2010 05:39, Sandro Magi <naasking at higherlogics.com> wrote:
> On 15/02/2010 9:05 AM, Mark Seaborn wrote:
>> I would call this attack a kind of spoofing, rather than CSRF. Rather
>> than one site spoofing another, it can be one account or page spoofing
>> another on the same site. Tyler's Petname toolbar would not help in
>> this case. Maybe this can be addressed by petnames that are
>> finer-grained than a site, which might require sites' co-operation to
>> establish.
>
> I agree, but gmail already sports a solution: require the user to pick a
> custom theme, colour scheme, or a unique icon for his webmail interface,
I use the standard default for all. I'm sure the vast majority of
users do likewise. I'm not convinced that this would offer any real
protection, therefore.
Cheers
Toby
More information about the cap-talk
mailing list