I am with Sverre. There are *loads* of really good texts and stuff on all
those dns and arp cache things. This will never be a text on how to use
dsniff ! It is not in the scope of this project.

I am not saying they are not related and not important and shouldnt be
mentioned at some point but not in scope.

This is about web enabled applications and web services.

A web enabled application or web service is typically ;

1. An HTTP client
2. A presentation layer (web server)thats serves up html / xml (maybe using
xslt) etc maybe using SOAP and IIOP
3. One or more application layers (J2EE server (EJB, Servlet), C CGI, PHP
etc. that do the biz logic of the application
4. A data source (SQL for .NET, any db for J2EE or others)

-----Original Message-----
From: Sverre H. Huseby [mailto:shhthathost.com]
Sent: Wednesday, September 26, 2001 9:44 PM
To: Kurt Seifried
Cc: Dennis Groves; www mobile code
Subject: Re: Attack Categories

[Kurt Seifried]

| If you depend on infrastructure to work correctly to provide
| security components for your applications the infrastructure had
| better be secure.

Of course you're right, Kurt, but what I wanted to ask is do we really
need separate chapters on, let's say sniffing? From an application
developers stand, I wonder if it would be better to talk about
sniffing in the context of something else. Like when talking about
session hijacking: Cookies containing session ids may be sniffed off
the network. Or when talking about passwords.

I do not think all the hairy details about sniffing and such are
needed in this text. It may be enough to point out what is possible,
and what problems it may give the developers. And of course,
referencs to more information for those interested is also a good
thing.

Sverre.

--
shhthathost.com			Try my Nerd Quiz at
http://shh.thathost.com/		http://nerdquiz.thathost.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]