Re: Session Fixation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 01 April 2003 12:33 pm, Matt Fisher wrote:
> http://www.computerbytesman.com/privacy/supercookie.htm

wow. What a mess.

Although I suppose the blame lies much more with the permissive nature of IE than with WMP per sae.

> > Has anyone put the Internet Explorer ^Super Cookie^ to use ?
> >
> > For the particular app I am working on, I can guarantee that all the
> > user are connecting with IE over ssl. Plus they all (mainly) go
> > through a router from the same LAN, thus appear to have the same IP.
> >
> > I am currently logging the super cookie to try and determine if it
> > really is unique enough.

Given the above discription, you shold note that trusting said "super-cookie" is no better than an IP because it is something that _you didn't issue_. If you didn't issue it, you can't verify it. If you can't verify it, you can't trust it (PKI is the notable exemption to the issuing rule, as you can verify without issuing). If you can't trust it, you shouldn't use it as a basis for security measures.

I'm sure it's plenty unique (in the common case), however good security design (and good accessability design) strongly suggest that you design your app so that it continues to function correctly in the _uncommon_ case. Not just when the browser is being complicit in the degradation of its users privacy. Also, why should you count on the machine having WMP installed in the first place? And why should you rely on JavaScript?

• -- Alex Russell alex@netWindows.org alex@SecurePipe.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iD8DBQE+ifePoV0dQ6uSmkYRAu5OAKCL1yB9CLOvOeGj1tv0BW2Jdfc/zwCgwyyJ r/BZbi/9ftWYC0Aom8cZWlI=
=QtF9
-----END PGP SIGNATURE----- Received on Tue Apr 1 15:40:56 2003