Difference between revisions of "Fix Session Mgmt Jacking"

From IIW
Jump to: navigation, search
(Undo revision 3081 by Igiwydijok (Talk))
Line 1: Line 1:
=[http://itubibygucy.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=
'''Issue/Topic:''' Prevent Session Jacking
'''Issue/Topic:''' Prevent Session Jacking

Latest revision as of 15:08, 3 February 2011

Issue/Topic: Prevent Session Jacking

Session: Wednesday 2B

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Sam Curren

Notes-taker(s): Sam Curren


Session Jacking, firesheep, ssl

Discussion notes:

There is a need to prevent session jacking (firesheep) without requiring SSL for all content. We gathered ideas for a solution that would require slight modifications to both Browsers and Servers.

The Goal: Prevent reuse of hijacked session bearer token for a new attacker chosen request.

This is only to prevent session jacking, not man-in-the-middle attacks for any of the other network related attacks.

Key Ideas:

  • Leave session cookie/bearer token as-is
  • Establish a key during initial SSL authentication session.
  • Add a keyed-hash for the request, and transmit alongside session cookie.
  • Server checks keyed-hash, validates from original user.

We think the changes to Browsers and Sites would be minimal, following the establishment and verification of a spec.

Key individuals that will be contacted: Colin Jackson, Adam Barth, Ben Laurie.