Fix Session Mgmt Jacking
Issue/Topic: Prevent Session Jacking
Session: Wednesday 2B
Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page
Convener: Sam Curren
Notes-taker(s): Sam Curren
Tags:
Session Jacking, firesheep, ssl
Discussion notes:
There is a need to prevent session jacking (firesheep) without requiring SSL for all content. We gathered ideas for a solution that would require slight modifications to both Browsers and Servers.
The Goal: Prevent reuse of hijacked session bearer token for a new attacker chosen request.
This is only to prevent session jacking, not man-in-the-middle attacks for any of the other network related attacks.
Key Ideas:
- Leave session cookie/bearer token as-is
- Establish a key during initial SSL authentication session.
- Add a keyed-hash for the request, and transmit alongside session cookie.
- Server checks keyed-hash, validates from original user.
We think the changes to Browsers and Sites would be minimal, following the establishment and verification of a spec.
Key individuals that will be contacted: Colin Jackson, Adam Barth, Ben Laurie.