In <pan.2011.01.22.18.22...@gmail.com>, Camaleón wrote: >On Sat, 22 Jan 2011 11:13:31 -0600, Boyd Stephen Smith Jr. wrote: >> In <pan.2011.01.22.16.44...@gmail.com>, Camaleón wrote: >>>> Physical access to the same hardware in a roughly 5 minute window also >>>> allows one to impersonate another user on a Kerberos network; that's >>>> not generally considered insecure. >>> >>>Not "hardware" but "data". >>> >> Please provide a scenario where they have access to the data, but not >> the hardware. Your example quoted above assumed they have access to the >> removable flash drive, which is hardware. > >I meant, the hardware itself is irrelevant for the case. It can be on a >flash stick, on external drive, on a notebook or even stored online. Once >you get the source (the encrypted cookie with the session id) the server >does not make further validations. You don't know what is the content of >the session id but you can use it anyway.
As long as the timeout is relatively small (e.g. 5 minutes) this is generally considered secure. HTTPS Everywhere prevents cookies from being intercepted on-the-wire, which prevents "sidejacking" attacks. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
