Netscape's use of SSL

Ben Laurie ben@algroup.co.uk
Fri, 21 Jan 2000 11:00:03 +0000


Norman Hardy wrote:
> 
> I have been multiprocessing my reply to the last entry on this topic for a
> few weeks. I now have a few notes at
> <http://www.mediacity.com/~norm/SSL/SSL2.html> that I think I did not say
> clearly or coherently before.

I think that objection neglects the use of client certificates. It would
be the cookie/client cert combination that determines access by C to the
state C'. Since D is unable to forge C's client cert, D is unable to
hijack the session. In some instances, even the cookie may be redundant
(e.g. if there is only a single server context for each particular
client).

If all you are after is non-hijackability of sessions, the client can
even use a cert you are unable to check. Or, perhaps even better, an
ephemeral one.

Cheers,

Ben.

--
SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm

http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi