Re: Session Fixation

[Alex Russell <alex () netWindows org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 01 April 2003 12:33 pm, Matt Fisher wrote:
> http://www.computerbytesman.com/privacy/supercookie.htm

wow. What a mess. 

Although I suppose the blame lies much more with the permissive nature of IE 
than with WMP per sae.

> > Has anyone put the Internet Explorer ^Super Cookie^ to use ?
> >
> > For the particular app I am working on, I can guarantee that all the
> > user are connecting with IE over ssl.  Plus they all (mainly) go
> > through a router from the same LAN, thus appear to have the same IP.
> >
> > I am currently logging the super cookie to try and determine if it
> > really is unique enough.

Given the above discription, you shold note that trusting said 
"super-cookie" is no better than an IP because it is something that _you 
didn't issue_. If you didn't issue it, you can't verify it. If you can't 
verify it, you can't trust it (PKI is the notable exemption to the issuing 
rule, as you can verify without issuing). If you can't trust it, you 
shouldn't use it as a basis for security measures.

I'm sure it's plenty unique (in the common case), however good security 
design (and good accessability design) strongly suggest that you design 
your app so that it continues to function correctly in the _uncommon_ case. 
Not just when the browser is being complicit in the degradation of its 
users privacy. Also, why should you count on the machine having WMP 
installed in the first place? And why should you rely on JavaScript?

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+ifePoV0dQ6uSmkYRAu5OAKCL1yB9CLOvOeGj1tv0BW2Jdfc/zwCgwyyJ
r/BZbi/9ftWYC0Aom8cZWlI=
=QtF9
-----END PGP SIGNATURE-----