On Sat, 22 Jan 2011 10:11:39 -0600, Boyd Stephen Smith Jr. wrote: > In <pan.2011.01.22.15.39...@gmail.com>, Camaleón wrote:
(...) >>Or just think about removable flash drive devices with portable versions >>of the browsers; the owner logins into his online account (facebook, >>gmail, whatever...), check the "remember me" option and keeps the full >>session encrypted via https (not just the login part). Another user with >>access to the flash drive could copy the whole content of the data and >>re- use (hijack) the cookie that holds the session id. > > Cookies that allow the user to bypass a security measure are often > aggressively timed out and/or cleared server-side, preventing this from > happening in practice unless the first user authorizes it. > > Physical access to the same hardware in a roughly 5 minute window also > allows one to impersonate another user on a Kerberos network; that's not > generally considered insecure. (...) Not "hardware" but "data". We only need the data to get the encrypted cookie and hijack the login session. That's a bit different than having access to a computer and be able to change the root's password. As per kerberos, I have not read any case of "session hijacking", I thought it was a very sctrict (with high requirements) protocol :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.22.16.44...@gmail.com
