From: Jason Coombs PivX Solutions (jasoncscience.org)
Date: Tue Jul 27 2004 - 21:18:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ivan Ristic wrote:
> * Session cookies transmitted over an unencrypted channel
> should not be allowed over SSL. The same the other way
> round.

Browsers already differentiate between SSL cookies and non-SSL cookies.

As a result it is often necessary to URL-encode the session identifier,
at least at transition from non-SSL mode session to SSL-mode session --
most sites allow the user to browse for a while without "going secure"
for a more sensitive step. The scenario that prompted this discussion is
a good example of this - everyone is welcome to visit the home page
unencrypted/unauthenticated, and when the user is ready to login the
FORM POST goes via SSL ... (allegedly, and who knows *where* it was
supposed to go when in fact it went where it went, wherever that was,
since the user doesn't know and won't care)

Browsers definitely should get rid of certificate chains as a basis of
trust. The public key is the only thing that matters, and the only good
that certificate chains do for us is give us a small increase in
confidence that the public key we are being offered in fact belongs to
the organization we think it belongs to... certificate spoofing flaws
exist that make certificate-based trust mostly a stupid browser trick
and not a real mechanism for security, but we're stuck with it anyway
until somebody (me, for example, or you, perhaps) bothers to barge into
the Mozilla codebase and developer community and bash some heads and
write some code to make the thing behave properly.

Most Secure Regards,

Jason Coombs
Jcoombspivx.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]