[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Web-browser Binding Vulnerabilities + "Cures"
Before going much further into cookies, passport etc., i dont understand how the scenario you have outlined can take place over HTTPS. > The use of references to assertions etc. in the form of URLs > which are usually given to an > authenticated client by a credential issuer using an HTTP 301 > (redirect) has at least one > problem: A credential consumer cannot easily determine if it > is the original client that > handed over the URL containing such a reference. A simple > browser URL window > snooper program could "snatch" such tokens and transport them > to somebody else. > In spite of secure https transports. > My understanding is that HTTPS secures all query string arguments as well as any data sent in the HTTP command and response. Can you explain the operation of this "snatching" scheme further? - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC