"FromTheRafters" <firstname.lastname@example.org> writes:
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.
cookie capture is evesdropping on open communication channel (during
cookie transfer) ... followed by a "replay attack" of the harvested
cooking ... then encrypting the communication is countermeasure to
evesdropping (as opposed to a trojan running on the victim machine that
harvests the cookie from disk file).
there is separate discussion about cookies being a poor solution
lcamtuf's blog: HTTP cookies, or how not to design protocols http://lcamtuf.blogspot.com/2010/10/...to-design.html
virtualization experience starting Jan1968, online at home since Mar1970