Return-Path: Delivered-To: apmail-cocoon-dev-archive@www.apache.org Received: (qmail 46341 invoked from network); 3 Oct 2005 15:43:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 3 Oct 2005 15:43:38 -0000 Received: (qmail 41096 invoked by uid 500); 3 Oct 2005 15:43:35 -0000 Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org Received: (qmail 41036 invoked by uid 500); 3 Oct 2005 15:43:34 -0000 Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@cocoon.apache.org List-Id: Delivered-To: mailing list dev@cocoon.apache.org Received: (qmail 41008 invoked by uid 99); 3 Oct 2005 15:43:34 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2005 08:43:34 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [62.140.213.100] (HELO blossom.betaversion.org) (62.140.213.100) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2005 08:43:38 -0700 Received: by blossom.betaversion.org (Postfix, from userid 101) id 119EB3EAFC6; Mon, 3 Oct 2005 16:04:25 +0100 (BST) X-AntiVirus-Version: ClamAV 0.87/1107 X-AntiSpam-Version: SpamAssassin 3.0.4 X-AntiSpam-Status: No (score=1.8/limit=7.5) X-AntiSpam-Rules: rcvd_in_sorbs_dul, listed, rcvd_in_njabl_dul, listed Received: from [192.168.1.100] (c-24-127-112-5.hsd1.ca.comcast.net [24.127.112.5]) by blossom.betaversion.org (Postfix) with ESMTP id 2A96F3EAFC3 for ; Mon, 3 Oct 2005 16:04:24 +0100 (BST) Message-ID: <4341518F.6050508@apache.org> Date: Mon, 03 Oct 2005 08:43:11 -0700 From: Stefano Mazzocchi User-Agent: Thunderbird 1.4 (Macintosh/20050908) MIME-Version: 1.0 To: dev@cocoon.apache.org Subject: Re: Fwd: [jetty-discuss] Microsoft IE7 compromise of session security References: <07e701c5c424$d5d9e1a0$0600000a@john> <37A85658-20E7-49E6-9660-17A8E9DBCC25@betaversion.org> In-Reply-To: <37A85658-20E7-49E6-9660-17A8E9DBCC25@betaversion.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Pier Fumagalli wrote: > I found this on the Jetty list, and thought it was relevant as in the > examples we tend to encode the continuation ID into the URL... > > This is f***ing scary!!! Wow, this will kill either kill urlencoding or IE. Seems like good news for firefox, though. > Pier > > Begin forwarded message: > >> From: "Chris Haynes" >> Date: 28 September 2005 13:04:53 BDT >> To: "Jetty Discuss" >> Subject: [jetty-discuss] Microsoft IE7 compromise of session security >> Reply-To: jetty-discuss@lists.sourceforge.net >> List-Id: Discussion for Jetty development. >> >> >> >> Everyone concerned with data security and privacy should read the >> Microsoft developer Blog describing their IE7 anti-phishing feature: >> http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx >> >> With this browser feature enabled, Microsoft sends a copy of the URL + >> path of every accessed page back to their HQ - even if you have >> HTTPS/SSL/TLS enabled! >> >> Note the posts I have added to the blog on and since 26 Sept, and the >> Microsoft response confirming the compromise of HTTPS. >> >> It is possible that beta browsers with this feature are already >> available in the wild. >> >> There is one particular aspect that Servlet developers / security >> managers should be aware of... >> >> If using URL-rewriting for session management, Microsoft will be sent >> a copy of the Session ID while that session is still open (whether or >> not TLS is involved) , as this sessionID is contained within the path. >> There is nothing technical preventing, say, a Microsoft employee or >> contractor from joining that session. >> >> Jetty might need to add a site-selectable option which detects the >> IE7 agent and throws an Exception if URL-rewriting is invoked - to >> prevent session IDs being sent to a compromised browser. Views, anyone? >> >> The other security / privacy concerns with this feature are of a >> broader nature, and probably OT for this list. >> >> Chris Haynes >> >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by: >> Power Architecture Resource Center: Free content, downloads, discussions, >> and more. http://solutions.newsforge.com/ibmarch.tmpl >> _______________________________________________ >> jetty-discuss mailing list >> jetty-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/jetty-discuss >> >> > -- Stefano.