tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Minoo Hamilton <mi...@forkbolt.net>
Subject Re: Why are manager session tokens generated with MD5 by default?
Date Tue, 06 Jan 2009 02:22:47 GMT
Preston L. Bannister wrote:
> How would you reverse a session-id from an MD5 hash? The exploit used to
> forge an SSL certificate will not help you. The MD5 exploit is irrelevant to
> this particular usage.
>
> Lots of links and discussion:
> http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
>   
I'm fully aware that this is different, Preston.  And I am certain that 
there are many things I don't understand about security.  All I meant to 
point out by the reference was that the idea that MD5 collisions are 
theoretical, based on the notion of computational expense, should now be 
shattered.

> If you are connecting to *any web application* on a high-value target over
> an insecure network using HTTP (not HTTPS) then you already have a *Very
> Large Problem* (think about man-in-the-middle attacks). Changing the hash
> applied to session ids is not going to help.
>   
Yes, but what I'm suggesting relates to brute forcing and session 
hijacking scenarios.  I totally agree that SSL definitely makes it all 
much harder to pull off.  Nonetheless, many sites have vulnerabilities 
in how they handle these things (e.g. the recent Yahoo Mail problem), so 
taking SSL for granted can be a problem, as well.

> Minoo, as a "security researcher" you should already be clear on the
> relative importance of differing risks, and cost/value ratios of exploits.
> Use of the MD5 hash as described is entirely harmless.
>   
Thanks for the air quotes, Preston.  The problem with your line of logic 
is that it ignores asymmetries -- the thing you don't thing is a problem 
that can sometimes be your biggest problem.   I tend to treat things 
equally till I'm certain, because risk does not follow a normal 
distribution model, when it comes to vulnerabilities. 

Anyhow, I have come to the Tomcat developer community to both be 
supportive and to ask for help in determining if this is or is not a 
real risk.  Clearly you think it is not.  I appreciate your feedback.

Minoo

>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message