TLS break
Ben Laurie
benl at google.com
Mon Nov 16 22:09:38 EST 2009
On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell <bernie at fantasyfarm.com> wrote:
> As I understand it, this is only really a vulnerability in situations
> where a command to do something *precedes* the authentication to enable
> the command. The obvious place where this happens, of course, is with
> HTTPS where the command [GET or POST] comes first and the authentication
> [be it a cookie or form vbls] comes later.
This last part is not really accurate - piggybacking the evil command
onto authentication that is later presented is certainly one possible
attack, but there are others, such as the Twitter POST attack and the
SMTP attack outlined by Wietse Venema (which doesn't work because of
implementation details, but _could_ work with a different
implementation).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list