[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Indexical reference problem defined
Stephen Farrell wrote: > > What are the threats to a claim check? There are basically > two: interception > > and guessing or deriving its value. > > Aren't there some http re-direct based attacks against > cookies? You are correct. My previous comments assumed a browser functioning according to RFC. Historically, a lot browsers did not correctly enforce cross domain cookie restrictions. Our testing suggests this is no longer an issue. Just for fun ;-) I searched the SecurityFocus vulnerability database for "cookie" I think the one you might have in mind is an IE bug which allows an attacker to confuse the browser as to which site it is talking to by means of a URL with escaped characters. (I bet Unicode works, too.) This can cause the browser to deliver the wrong cookie to the web server. The BUGTRAQ Id is 1194 the CVE is CVE-2000-0439. There is also a HotJava bug that can reveal cookies. There is an IIS bug that it will not always force SSL on cookies marked "secure." A bug in MS Site Server and Commercial Information Server can reveal cookies. Finally, the Bluestone/Saphire server has a SSO cookie scheme in which the cookie contains a session id which is incremented by one for each new session. This supports Bob Blakely's observation that there are a lot of insecure solutions to the problem. > If this is still the case, there's not much SAML can do about > it, other > than recognize the vulnerability and maybe give guidance about using > cookies for SSO. I agree. This is fodder for the security and privacy considerations group. A search of BUGTRAQ, CVE and a few other vulnerability databases strikes me as appropriate due diligence. BTW, just for the record, encoded URLs can be used cross domain, where cookies cannot. However, there are advantages to using cookies within a domain, for example, encoded URLs tend to kill caching. I believe the thinking I heard expressed at the F2F was to use a combination of the two. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC