[FoRK] DNT: another example of "you can't make this shit up"

Gregory Alan Bolcer greg at bolcer.org
Tue Oct 16 15:49:38 PDT 2012

On 10/16/2012 3:10 PM, Stephen D. Williams wrote:

> Fundamentally, session cookies are nothing more than a random number.
> Done properly, you can't forge a random number.  Cookies shouldn't be
> able to be stolen for a TLS-enabled session.  Otherwise no one would do
> online banking.  If you're talking about a local attack, the cookie is
> about as exposed as any private key or certificate would be, except for
> hardware keys.

You're still thinking like a security guy.  Cookies can be stolen. 

> As long as they are cryptographically secure, a session cookie could be
> its own certificate of sorts: Take the current date, add salt, encrypt
> with a private key and any server with that key can validate.  Or take
> random data and sign it with a private key and any server with the
> public key can validate.  You can clip this to be arbitrarily short and
> still validate.

Congrats, you just invented some new IP.  Now the next step is to 
short-circuit the cookies and just use client side certificates.  Once 
you fall into that camp, there's a finite number of small things that 
need to be fixed in how certificates are handled and then, we're off 
onto a brave new world.


More information about the FoRK mailing list