Re: Re: Cookies at XML Europe 2004 -- Call forParticipation

To: Rich Salz <rsalz@d...>
Subject: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
From: Elliotte Rusty Harold <elharo@m...>
Date: Thu, 8 Jan 2004 16:39:14 -0500
Cc: "xml-dev@l..." <xml-dev@l...>
In-reply-to: <3FFD9C9A.7080500@d...>
References: <Pine.LNX.4.44L0.0401071853240.11874-100000@s...><p06010200bc22806597e5@[192.168.254.4]> <3FFD9C9A.7080500@d...>

Play the video

At 1:08 PM -0500 1/8/04, Rich Salz wrote:


>Without SSL, the risk is "offline attack on gets long-term password" 
>for digest, and for cookie its "packet snarf gets limited access." 
>That tradeoff alone would make the concerned (or liable) party tend 
>to go for cookies, don'tcha think?

No, I don't think that's true. First of all it's not "offline attack 
on gets long-term password". It's packet snarf followed by offline 
attack gets long-term password. Packet snarfings are required for 
both attacks.

Once the packets are snarfed, a hole that does not require any 
decryption and give immediate, time limited access is worse than an 
attack that requires a decryption that may not succeed. A strong 
password is a pretty damn good defense against an offline, dictionary 
attack on digest authentication. I don't see any equivalent action a 
client can take to protect themself against a cookie based attack. 
The server might be able to take a few actions to help alleviate the 
problem, but in practice I doubt most server administrators are 
security conscious enough to provide sufficient protection, 
especially for those who aren't using SSL in the first place. *I* can 
protect *myself* against your prosed attack on disgest 
authentication. I cannot protect myself against the attacks on cookie 
session keys. I must rely on the server to do it for me. And 
excepting SSL, I don't think the defenses you propose are 
sufficiently effective, even if the server does implement them. :-(
-- 

   Elliotte Rusty Harold
   elharo@m...
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA

Follow-Ups:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>

References:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>
- Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@m...>
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@d...>

Prev by Date: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
Next by Date: RE: anyone know of good places to get opengis data?
Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >