What happened with the session fixation bug?

Steven M. Bellovin smb at cs.columbia.edu
Mon May 30 18:17:57 PDT 2005

In message <427CCA9B.29132.760A1FC at localhost>, "James A. Donald" writes:
>    --
>PKI was designed to defeat man in the middle attacks
>based on network sniffing, or DNS hijacking, which
>turned out to be less of a threat than expected.
First, you mean "the Web PKI", not PKI in general.

The next part of this is circular reasoning.  We don't see network 
sniffing for credit card numbers *because* we have SSL.  Since many of 
the worm-spread pieces of spyware incorporate sniffers, I'd say that 
part of the threat model is correct.

As for DNS hijacking -- that's what's behind "pharming" attacks.  In 
other words, it's a real threat, too.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list