Thread: Re: A Wolf In Sheep's Clothing - New Threat
View Single Post
  #3 (permalink)  
Old 11-09-2010, 07:24 PM
Anne & Lynn Wheeler
Guest
  
Posts: n/a
Default Re: A Wolf In Sheep's Clothing - New Threat

"FromTheRafters" <erratic.howard@gmail.com> writes:
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.

cookie capture is evesdropping on open communication channel (during
cookie transfer) ... followed by a "replay attack" of the harvested
cooking ... then encrypting the communication is countermeasure to
evesdropping (as opposed to a trojan running on the victim machine that
harvests the cookie from disk file).

there is separate discussion about cookies being a poor solution

lcamtuf's blog: HTTP cookies, or how not to design protocols
http://lcamtuf.blogspot.com/2010/10/...to-design.html

--
virtualization experience starting Jan1968, online at home since Mar1970

Reply With Quote
 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45