cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security
Date Mon, 03 Oct 2005 15:43:11 GMT
Pier Fumagalli wrote:
> I found this on the Jetty list, and thought it was relevant as in the 
> examples we tend to encode the continuation ID into the URL...
> 
> This is f***ing scary!!!

Wow, this will kill either kill urlencoding or IE. Seems like good news 
for firefox, though.

>     Pier
> 
> Begin forwarded message:
> 
>> From: "Chris Haynes" <chris@harvington.org.uk>
>> Date: 28 September 2005 13:04:53 BDT
>> To: "Jetty Discuss" <jetty-discuss@lists.sourceforge.net>
>> Subject: [jetty-discuss] Microsoft IE7 compromise of session security
>> Reply-To: jetty-discuss@lists.sourceforge.net
>> List-Id: Discussion for Jetty development. 
>> <jetty-discuss.lists.sourceforge.net>
>>
>>
>> Everyone concerned with data security and privacy should read the 
>> Microsoft developer Blog describing their IE7 anti-phishing feature:
>> http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
>>
>> With this browser feature enabled, Microsoft sends a copy of the URL + 
>> path of every accessed page back to their HQ - even if you have 
>> HTTPS/SSL/TLS enabled!
>>
>> Note the posts I have added to the blog on and since 26 Sept, and the 
>> Microsoft response confirming the compromise of HTTPS.
>>
>> It is possible that beta browsers with this feature are already 
>> available in the wild.
>>
>> There is one particular aspect that Servlet developers / security 
>> managers should be aware of...
>>
>> If using URL-rewriting for session management, Microsoft will be sent 
>> a copy of the Session ID while that session is still open (whether or 
>> not TLS is involved) , as this sessionID is contained within the path. 
>> There is nothing technical preventing, say, a Microsoft employee or 
>> contractor from joining that session.
>>
>> Jetty might need to add a site-selectable  option which detects the 
>> IE7 agent and throws an Exception if URL-rewriting is invoked - to 
>> prevent session IDs being sent to a compromised browser. Views, anyone?
>>
>> The other security / privacy concerns with this  feature are of a 
>> broader nature, and probably OT for this list.
>>
>> Chris Haynes
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content, downloads, discussions,
>> and more. http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> jetty-discuss mailing list
>> jetty-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>>
>>
> 


-- 
Stefano.


Mime
View raw message