cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pier Fumagalli <p...@betaversion.org>
Subject Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Sun, 02 Oct 2005 22:01:06 GMT
I found this on the Jetty list, and thought it was relevant as in the  
examples we tend to encode the continuation ID into the URL...

This is f***ing scary!!!

     Pier

Begin forwarded message:

> From: "Chris Haynes" <chris@harvington.org.uk>
> Date: 28 September 2005 13:04:53 BDT
> To: "Jetty Discuss" <jetty-discuss@lists.sourceforge.net>
> Subject: [jetty-discuss] Microsoft IE7 compromise of session security
> Reply-To: jetty-discuss@lists.sourceforge.net
> List-Id: Discussion for Jetty development. <jetty- 
> discuss.lists.sourceforge.net>
>
>
> Everyone concerned with data security and privacy should read the  
> Microsoft developer Blog describing their IE7 anti-phishing feature:
> http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
>
> With this browser feature enabled, Microsoft sends a copy of the  
> URL + path of every accessed page back to their HQ - even if you  
> have HTTPS/SSL/TLS enabled!
>
> Note the posts I have added to the blog on and since 26 Sept, and  
> the Microsoft response confirming the compromise of HTTPS.
>
> It is possible that beta browsers with this feature are already  
> available in the wild.
>
> There is one particular aspect that Servlet developers / security  
> managers should be aware of...
>
> If using URL-rewriting for session management, Microsoft will be  
> sent a copy of the Session ID while that session is still open  
> (whether or not TLS is involved) , as this sessionID is contained  
> within the path. There is nothing technical preventing, say, a  
> Microsoft employee or contractor from joining that session.
>
> Jetty might need to add a site-selectable  option which detects the  
> IE7 agent and throws an Exception if URL-rewriting is invoked - to  
> prevent session IDs being sent to a compromised browser. Views,  
> anyone?
>
> The other security / privacy concerns with this  feature are of a  
> broader nature, and probably OT for this list.
>
> Chris Haynes
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> jetty-discuss mailing list
> jetty-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>
>


Mime
View raw message