Prev: Associative hash function
Next: Practical applications still using DES
From: balzer on 15 Apr 2010 07:59
Some secure sites have HTTPS session stay secure from login till end of
communication with site(log off).
Some sites are HTTPS only when log in, after login, they become HTTP, and
become HTTPS only when log off. (Yahoo mail for example, etc)
What are the chances that session can be intercepted and sidejacked and
traffic content recorded, especially as I know this danger really exists,
and its carried purposefully and intentionally, by recording DSL traffic.

From: Maaartin on 15 Apr 2010 14:12
On Apr 15, 8:01 pm, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> How, technically it can steal the cookie? Assuming it have no direct access
> to my PC, but  sniff and log all DSL traffic..

"The cookie is sent as an HTTP header by a web server to a web browser
and then sent back unchanged by the browser each time it accesses that
server."
http://en.wikipedia.org/wiki/HTTP_cookie
From: balzer on 15 Apr 2010 14:24

"Maaartin" <grajcar1(a)seznam.cz> wrote in message
news:1637b5f0-5494-42a2-9547-8c8377ff3381(a)u31g2000yqb.googlegroups.com...
On Apr 15, 8:01 pm, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> How, technically it can steal the cookie? Assuming it have no direct
> access
> to my PC, but sniff and log all DSL traffic..

"The cookie is sent as an HTTP header by a web server to a web browser
and then sent back unchanged by the browser each time it accesses that
server."
http://en.wikipedia.org/wiki/HTTP_cookie
---------------
ok, let's assume attacker got cookie it and accessed email account.. When
they log off, then canno log-in anymore since don't know password, right?

From: mike clark on 15 Apr 2010 14:34
On Apr 15, 12:24 pm, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> "Maaartin" <grajc...(a)seznam.cz> wrote in message
>
> news:1637b5f0-5494-42a2-9547-8c8377ff3381(a)u31g2000yqb.googlegroups.com...
> On Apr 15, 8:01 pm, "balzer" <nos...(a)news.eternal-september.org>
> wrote:
>
> > How, technically it can steal the cookie? Assuming it have no direct
> > access
> > to my PC, but sniff and log all DSL traffic..
>
> "The cookie is sent as an HTTP header by a web server to a web browser
> and then sent back unchanged by the browser each time it accesses that
> server."http://en.wikipedia.org/wiki/HTTP_cookie
> ---------------
> ok, let's assume attacker got cookie it and accessed email account.. When
> they log off, then canno log-in anymore since don't know password, right?

Why would they log off if they want to maintain access to your email
account? If they could get the cookie so easily the first time, what
would stop them from doing it again the next time you logged in?

Assuming the web-app is implemented properly, once the attacker (or
you) logs off, then the attacker should be locked out of the account.
From: Paul Rubin on 15 Apr 2010 16:17
"balzer" <nospam(a)news.eternal-september.org> writes:
> Some sites are HTTPS only when log in, after login, they become HTTP,
> and become HTTPS only when log off. (Yahoo mail for example, etc)
> What are the chances that session can be intercepted and sidejacked
> and traffic content recorded, especially as I know this danger really
> exists,

You can set the cookie to only be sent over https. I don't know whether
yahoo actually does that.
 |  Next  |  Last
Pages: 1 2
Prev: Associative hash function
Next: Practical applications still using DES