OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Web-browser Binding Vulnerabilities + "Cures"

> The snatcher program is a windows (of course) deamon running 
> outside a standard browser
> that looks inside window objects.  It can even hook itself 
> into the window messaging to get
> all messages directly first.  Now, if the entire security 
> token is given as an URL the snatcher
> will see it in clear text (as displayed in the browser URL 
> window) and could give it to somebody else.
> Without hacking the browser.
> Cookies on the other hand are not displayed in the browser 
> window and therefore are slightly
> better protected.

If an attacker can run a priviledged program on a client system, there is NO
security mechanism that can protect him or her from stealing all user data,
keys, session tokens, etc. I don't see any reason to spend time on threats
of this type. Not because they are not real, but because nothing in the
protocol can protect against them. You must assume some sort of TCB to make
any progress.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC