cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Sun, 02 Oct 2005 22:17:48 GMT
Pier Fumagalli wrote:

> I found this on the Jetty list, and thought it was relevant as in the  
> examples we tend to encode the continuation ID into the URL...
>
> This is f***ing scary!!!


Yep. And doesn't the same already happen with the Google toolbar, which 
certainly send the URL to Google to have the page rank? Same applies 
also to the PageRank Firefox extension...

Sylvain

> Begin forwarded message:
>
>> From: "Chris Haynes" <chris@harvington.org.uk>
>> Date: 28 September 2005 13:04:53 BDT
>> To: "Jetty Discuss" <jetty-discuss@lists.sourceforge.net>
>> Subject: [jetty-discuss] Microsoft IE7 compromise of session security
>> Reply-To: jetty-discuss@lists.sourceforge.net
>> List-Id: Discussion for Jetty development. <jetty- 
>> discuss.lists.sourceforge.net>
>>
>>
>> Everyone concerned with data security and privacy should read the  
>> Microsoft developer Blog describing their IE7 anti-phishing feature:
>> http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
>>
>> With this browser feature enabled, Microsoft sends a copy of the  URL 
>> + path of every accessed page back to their HQ - even if you  have 
>> HTTPS/SSL/TLS enabled!
>>
>> Note the posts I have added to the blog on and since 26 Sept, and  
>> the Microsoft response confirming the compromise of HTTPS.
>>
>> It is possible that beta browsers with this feature are already  
>> available in the wild.
>>
>> There is one particular aspect that Servlet developers / security  
>> managers should be aware of...
>>
>> If using URL-rewriting for session management, Microsoft will be  
>> sent a copy of the Session ID while that session is still open  
>> (whether or not TLS is involved) , as this sessionID is contained  
>> within the path. There is nothing technical preventing, say, a  
>> Microsoft employee or contractor from joining that session.
>>
>> Jetty might need to add a site-selectable  option which detects the  
>> IE7 agent and throws an Exception if URL-rewriting is invoked - to  
>> prevent session IDs being sent to a compromised browser. Views,  anyone?
>>
>> The other security / privacy concerns with this  feature are of a  
>> broader nature, and probably OT for this list.
>>
>> Chris Haynes
>

-- 
Sylvain Wallez                        Anyware Technologies
http://people.apache.org/~sylvain     http://www.anyware-tech.com
Apache Software Foundation Member     Research & Technology Director


Mime
View raw message