On Wed, 19 Jan 2011 18:07:36 +0100, tv.deb...@googlemail.com wrote: > On the 19/01/2011 17:46, Camaleón wrote:
(...) >> In brief: >> >> - Does the cookie contain sensitive/private information? → set/get the >> cookie using ssl >> >> - Does the cookie contain standard/publicly available information → no >> need to be encrypted >> >> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins >> using clear text passwords. >> >> >> > It is not only the data enclosed inside the cookie which are at risk > here, but the entire session on the website you are logged in. Say you > log into your "friendface" account, and someone near your catch your > unencrypted session cookie, then he is YOU on YOUR "friendface" > account... That sounds like bad programming or a buggy site. There are methods to prevent such attacks on the server side that involves no encrypted sessions, but sometimes it is easier (and cheaper) for companies to rely on completely encrypted sessions and not implement another countermeasures. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.19.17.50...@gmail.com
