[FoRK] DNT: another example of "you can't make this shit up"
Gregory Alan Bolcer
greg at bolcer.org
Tue Oct 16 15:49:38 PDT 2012
On 10/16/2012 3:10 PM, Stephen D. Williams wrote:
> Fundamentally, session cookies are nothing more than a random number.
> Done properly, you can't forge a random number. Cookies shouldn't be
> able to be stolen for a TLS-enabled session. Otherwise no one would do
> online banking. If you're talking about a local attack, the cookie is
> about as exposed as any private key or certificate would be, except for
> hardware keys.
You're still thinking like a security guy. Cookies can be stolen.
> As long as they are cryptographically secure, a session cookie could be
> its own certificate of sorts: Take the current date, add salt, encrypt
> with a private key and any server with that key can validate. Or take
> random data and sign it with a private key and any server with the
> public key can validate. You can clip this to be arbitrarily short and
> still validate.
Congrats, you just invented some new IP. Now the next step is to
short-circuit the cookies and just use client side certificates. Once
you fall into that camp, there's a finite number of small things that
need to be fixed in how certificates are handled and then, we're off
onto a brave new world.
More information about the FoRK