What happened with the session fixation bug?
Steven M. Bellovin
smb at cs.columbia.edu
Mon May 30 21:17:57 EDT 2005
In message <427CCA9B.29132.760A1FC at localhost>, "James A. Donald" writes:
> --
>PKI was designed to defeat man in the middle attacks
>based on network sniffing, or DNS hijacking, which
>turned out to be less of a threat than expected.
>
First, you mean "the Web PKI", not PKI in general.
The next part of this is circular reasoning. We don't see network
sniffing for credit card numbers *because* we have SSL. Since many of
the worm-spread pieces of spyware incorporate sniffers, I'd say that
part of the threat model is correct.
As for DNS hijacking -- that's what's behind "pharming" attacks. In
other words, it's a real threat, too.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list