Generating Unique Keys
Mike C. Fletcher
mcfletch at rogers.com
Sat Jan 25 18:00:50 EST 2003
There are plenty of ways to get (unencrypted) data from a web transaction:
Snoop packet traffic (easiest path, generally blocked by
socket-level encryption)
Get the user's machine to give it to them via all sorts of
bugs/exploits where the machine is fooled into thinking the cracker's
machine is the server and renders up the cookie for validation (these
exploits come up all the time, best to plan for them, decent protection
requires use of well-known certificate authorities or a really good PKI
infrastructure, as well as users patching their browsers (the same users
who often don't know what "drag and drop" means, so it's pretty dicey
relying on that))
Stand between server and user and play "man-in-the-middle" (the
hardest attacks to defend against IMO, as without
well-known/already-known certificate authorities or a really good PKI
infrastructure you can't even begin to know who you're talking to, you
need a lot of thought on this or need to use an off-the-shelf approach
such as SSL)
Randomly guess until there's a collision (particularly if they don't
care _which_ session they're taking over).
Enjoy,
Mike
Paul Rubin wrote:
>Mongryong <Mongryong at sympatico.ca> writes:
>
>
>>Even with a 'randomly' generated session key, a malicious user can still
>>steal the session key of a active user.
>>
>>
>
>How?
>
>
_______________________________________
Mike C. Fletcher
Designer, VR Plumber, Coder
http://members.rogers.com/mcfletch/
More information about the Python-list
mailing list