[Cryptography] Is this a solved problem?
John Levine
johnl at iecc.com
Tue Sep 29 10:27:31 EDT 2020
In article <E1kN3vx-000EUc-2v at elasmtp-curtail.atl.sa.earthlink.net> you write:
>So how can the company make a 'link' that only operates for
>the original recipient of the email, and not for anyone else
>who somehow gains access to this link?
The short answer is that in general, you can't.
The slightly longer answer is that when the customer logs in with 2FA
or whatever, the company sends a cookie to the browser or app that has
a session ID. If a mail recipient clicks on the link, assuming the
company has enough sense to make the link in the same domain its web
site uses (some don't), the browser sends along the cookie, and the
company can see if the computer on which she clicked the link already
has a session for the customer to whom they sent the message. If it's
the same, they can skip the login and go straight to the hard sell.
This is pretty typical, leaving a cookie that lets the user continue
an existing session later. That's why they ask the irritating question
about whether this is a shared computer so they can make the cookie
expire quickly instead.
--
Regards,
John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
More information about the cryptography
mailing list