[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Fundamental error in Corsaire's paper?

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Date: Fri, 28 Apr 2006 21:01:34 +0200

On 28 Apr 2006 at 17:50, Martin O'Neal wrote:

> 
> > Hmmmm... - not too common, so it seems.
> 
> Well, MS often tend to be the spanner in the ointment when it comes to
> standards compliance, but even if you accept all of those MS vagaries,
> this is still counter evidence to the blanket "There is no such thing as
> path security" statement.  Granted, the practical worth of it today
> (with the browser issues in evidence) is limited. ;)
> 

OK, if that's the counter example, I can live with it ;-)

> > Oh, I disagree here. In my opinion, these are NOT browser issues 
> 
> Life is rarely so simple in the world of RFCs.  One of the reasons the
> initial advisory took months to be released is that it wasn't possible
> to get a consensus on the root of the problem, and whether it should be
> addressed at the browser, at the server, or a combination of both.

I agree. The way I interpret the cookie standards, as well as the HTTP
and URI ones combine into a ridiculous result. 

> There was input from Microsoft, Apache, Mozilla, Apple, Galleon, KDE and
> Opera, but no consensus.  In the end I recall the debate drying up, and
> the vendors who attempted to resolve the issue went for a URI
> canonicalisation approach at the browser, prior to path comparison.
> 

Yet you can't expect the browser vendors to predict all those
variants... in other words, placing this burden at the hands of the 
browser vendors is unfair, and unlikely to improve security.

> > As for SSL, I strongly disagree. 
> 
> Me too! :p
> 
> SSL is used as a blanket term for multiple protocols, some of which are
> flawed.  Some cipher suites offer little or no protection at all, and
> most out-of-the-box SSL implementations are weak.  And the crux is that
> the security of SSL depends entirely on the integrity of the local
> certificate management process, which generally is non-existent.  I
> could go on, but suffice to say that a poor SSL implementation offers at
> best a false sense of security.
> 
> Want to hazard a guess at what I have been playing with in my research
> time for the last few months?  :)
> 

Hmmm, given that SSL was given much attention and scrutiny, I'd sure love
to read your next paper.

-Amit

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
  - From: Armag

Prev by Date: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by Date: [WEB SECURITY] XSS/Script Injection on my personal site
Previous by thread: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by thread: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site