RE: How to protect against cookie stealing?

> -----Original Message-----

> Mr. Dawes,
>

> If the website is a company private site that only needs to
> be accessed
> by customers, employees, and partners, and the integrity of the
> information is a top priority then using such thing as ActiveX is
> important at the time being.

I agree. Internal sites that have control over their clients (to the extent that they can dictate the network architecture, and the existence and configuration of proxies, etc) are in a much stronger position, and CAN implement source IP restrictions.

Internet sites that need to offer services to the public at large, and cannot dictate ISP etc, are worse off.

> Another thing, if we to eliminate things like proxy's that provide
> anonymity then we are destroying the only thing left out there to
> protect the privacy of the user.

This argument is irrelevant - we are IDENTIFYING the user when they log on to our site, so privacy concerns are inconsequential. Talking about eliminating proxies in general is a topic for a different thread, I think.

> A new
> solution needs
> to take place; for example, using smart cards in the identification
> process when a user wants to buy something online (just like the Blue
> card from American Express).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An SSL-based (client certificate) solution will certainly be an improvement. Then the server will be able to use the SSL CN or DN as the "session identifier", and that would eliminate the problem of session hijacking.

> There will always be proxies, there will
> always be spoofers, and there will always be uber haxors, and
> no matter
> what we do, until we have the actual access control generated
> physically
> from the user station there will always be session hijacking.
>
> Regards,
>
> Tarek.

As you say, the SSL client certificate is handled outside of the browser and is non-hijackable (apart from spyware or other locally executed programs) and thus "physically from the user station".

Looking forward to that day when client certs are ubiquitous :-)

Rogan

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Sun Jul 27 11:47:52 2003