James A. Donald wrote:
-- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected.
However, the session fixation bugs http://www.acros.si/papers/session_fixation.pdf make https and PKI worthless against such man in the middle attacks. Have these bugs been addressed?
Do they exist? Certainly any session ID I've ever had a hand in has two properties that strongly resist session fixation: a) If a session ID arrives, it should already exist in the database. b) Session IDs include HMACs. Session fixation is defeated by either of these. Modulo insider attacks, of course. :-) -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com