Netscape's use of SSL

Ben Laurie
Fri, 21 Jan 2000 11:00:03 +0000

Norman Hardy wrote:
> I have been multiprocessing my reply to the last entry on this topic for a
> few weeks. I now have a few notes at
> <> that I think I did not say
> clearly or coherently before.

I think that objection neglects the use of client certificates. It would
be the cookie/client cert combination that determines access by C to the
state C'. Since D is unable to forge C's client cert, D is unable to
hijack the session. In some instances, even the cookie may be redundant
(e.g. if there is only a single server context for each particular

If all you are after is non-hijackability of sessions, the client can
even use a cert you are unable to check. Or, perhaps even better, an
ephemeral one.




"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi