Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 030605.html (Request Expert securityfocus.com Support)

Re: Session Fixation

From: Alex Russell <alex(at)netWindows.org>
Date: Mon Mar 31 2003 - 11:16:20 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 31 March 2003 07:19 am, Information Security wrote:
> I recently visited a site (I think it might have been my bank) where they

I'm afraid I fail to see the value. What if you're an AOL subscriber? Your "extra security" is then shared by some number of other millions of cluless, easily rootable users. Better yet, if the connection is encrypted with SSL (it is, isn't it?), you've already bought AT LEAST this much security (an attacker would have to comprimise your session key in order to spoof your session, not just something as trivial as an IP addr). The bank's "feature" is the security equivalent of a placebo.

This topic has been discussed at length on this list, and every time it is, the consensus is reached that "binding" some session identifier to an IP address is not only innefectual, it provides a false sense of security. This can almost be worse than providing poor security measures in the first place, as it (incorrectly) increaes one's trust in a system that provides no real benefit. IP is _designed_ to be unreliable, insecure transport. That's why it tool over the world. Trying to assign security significance to a protocol that was designed not to provide any is a miss-placed bet.

> But the nice

Hrm, one might take them to task for even mis-labeling that. More appropriately it could be "additional feautre we thought would be neat, but provides no real security value. Use it if you want to feel better about not really doing anything about security."

Ok. I'll stop ranting now.

  • -- Alex Russell alex@netWindows.org alex@SecurePipe.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)
Do you need help?X

iD8DBQE+iGnYoV0dQ6uSmkYRAr2uAKCPZfN3nRPGqRZTt9No1IbgE2IS4gCgu09Y yAyEUa/7Et/jm5AMl+kw/+E=
=7d14
-----END PGP SIGNATURE----- Received on Mon Mar 31 11:20:48 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library