cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Gallardo <agalla...@agssa.net>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Sun, 02 Oct 2005 23:41:03 GMT
Pier Fumagalli wrote:

> I found this on the Jetty list, and thought it was relevant as in the  
> examples we tend to encode the continuation ID into the URL...
>
> This is f***ing scary!!!

For the records, don't think they just invented the "cool water" today! 
Anti-phishing bars for browsers is not new at all. This toolbars are out 
there for quite long time [1]. I already won at least 10 coffe cups with 
netcraftt logo by reporting phishing sites to them [2].

Best Regards,

Antonio Gallardo.

[1] http://toolbar.netcraft.com/
[2] http://toolbar.netcraft.com/report_url


>
>     Pier
>
> Begin forwarded message:
>
>> From: "Chris Haynes" <chris@harvington.org.uk>
>> Date: 28 September 2005 13:04:53 BDT
>> To: "Jetty Discuss" <jetty-discuss@lists.sourceforge.net>
>> Subject: [jetty-discuss] Microsoft IE7 compromise of session security
>> Reply-To: jetty-discuss@lists.sourceforge.net
>> List-Id: Discussion for Jetty development. <jetty- 
>> discuss.lists.sourceforge.net>
>>
>>
>> Everyone concerned with data security and privacy should read the  
>> Microsoft developer Blog describing their IE7 anti-phishing feature:
>> http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
>>
>> With this browser feature enabled, Microsoft sends a copy of the  URL 
>> + path of every accessed page back to their HQ - even if you  have 
>> HTTPS/SSL/TLS enabled!
>>
>> Note the posts I have added to the blog on and since 26 Sept, and  
>> the Microsoft response confirming the compromise of HTTPS.
>>
>> It is possible that beta browsers with this feature are already  
>> available in the wild.
>>
>> There is one particular aspect that Servlet developers / security  
>> managers should be aware of...
>>
>> If using URL-rewriting for session management, Microsoft will be  
>> sent a copy of the Session ID while that session is still open  
>> (whether or not TLS is involved) , as this sessionID is contained  
>> within the path. There is nothing technical preventing, say, a  
>> Microsoft employee or contractor from joining that session.
>>
>> Jetty might need to add a site-selectable  option which detects the  
>> IE7 agent and throws an Exception if URL-rewriting is invoked - to  
>> prevent session IDs being sent to a compromised browser. Views,  anyone?
>>
>> The other security / privacy concerns with this  feature are of a  
>> broader nature, and probably OT for this list.
>>
>> Chris Haynes
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content, downloads,  
>> discussions,
>> and more. http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> jetty-discuss mailing list
>> jetty-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>>
>>
>


Mime
View raw message