Microsoft IE7 compromise of session security

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft IE7 compromise of session security

Chris Haynes
Everyone concerned with data security and privacy should read the Microsoft
developer Blog describing their IE7 anti-phishing feature:
http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx

With this browser feature enabled, Microsoft sends a copy of the URL + path of
every accessed page back to their HQ - even if you have HTTPS/SSL/TLS enabled!

Note the posts I have added to the blog on and since 26 Sept, and the Microsoft
response confirming the compromise of HTTPS.

It is possible that beta browsers with this feature are already available in the
wild.

There is one particular aspect that Servlet developers / security managers
should be aware of...

If using URL-rewriting for session management, Microsoft will be sent a copy of
the Session ID while that session is still open (whether or not TLS is involved)
, as this sessionID is contained within the path. There is nothing technical
preventing, say, a Microsoft employee or contractor from joining that session.

Jetty might need to add a site-selectable  option which detects the IE7 agent
and throws an Exception if URL-rewriting is invoked - to prevent session IDs
being sent to a compromised browser. Views, anyone?

The other security / privacy concerns with this  feature are of a broader
nature, and probably OT for this list.

Chris Haynes





-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft IE7 compromise of session security

Philipp Meier
Am Mittwoch, den 28.09.2005, 13:04 +0100 schrieb Chris Haynes:
[...]

> If using URL-rewriting for session management, Microsoft will be sent a copy of
> the Session ID while that session is still open (whether or not TLS is involved)
> , as this sessionID is contained within the path. There is nothing technical
> preventing, say, a Microsoft employee or contractor from joining that session.
>
> Jetty might need to add a site-selectable  option which detects the IE7 agent
> and throws an Exception if URL-rewriting is invoked - to prevent session IDs
> being sent to a compromised browser. Views, anyone?
>
> The other security / privacy concerns with this  feature are of a broader
> nature, and probably OT for this list.

I'd suggest for this case (IE 7) to bind the sessionid to the ip-address
of the client host. Although this is generally not a good idea
(interrupted dial-up connections) this would prevent the sensitive
session id to be sent to a third party.

-billy.
--
3-2-1 Verkaufsagentur ***       Wir verkaufen für Sie!         ***
Herrmann-Köhl-Str. 5  *** Petrusplatz neben der Marienapotheke ***
89231 Neu-Ulm         ***  http://www.321-verkaufsagentur.de/  ***




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft IE7 compromise of session security

Chris Haynes
"Philipp Meier" suggested:

Am Mittwoch, den 28.09.2005, 13:04 +0100 schrieb Chris Haynes:
[...]

>> If using URL-rewriting for session management, Microsoft will be sent a copy
>> of
>> the Session ID while that session is still open (whether or not TLS is
>> involved)
> >, as this sessionID is contained within the path. There is nothing technical
> >preventing, say, a Microsoft employee or contractor from joining that
> >session.
>>
> >Jetty might need to add a site-selectable  option which detects the IE7 agent
> >and throws an Exception if URL-rewriting is invoked - to prevent session IDs
> >being sent to a compromised browser. Views, anyone?
>>
> >The other security / privacy concerns with this  feature are of a broader
> >nature, and probably OT for this list.

>I'd suggest for this case (IE 7) to bind the sessionid to the ip-address
>of the client host. Although this is generally not a good idea
>(interrupted dial-up connections) this would prevent the sensitive
>session id to be sent to a third party.


I believe AOL change proxies mid-session, so that the host could appear to be
different on a request-by-request basis, so I don't think your suggestion would
work with hosts within AOL.

Chris







-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss