[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Gmail/SSL

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Gmail/SSL
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 10 Mar 2008 19:29:12 -0800
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 10 Mar 2008 23:29:17 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=RjazSQcsiRU+0hASYDWzUhjpxgj3RdLAgVkuCj9+9E4=; b=BaeW07j9CQCsZXQh1OrJARQshs++zCweo9rwtHunzyxBzvZgzrew0zc7B8uVgkCqpO0OgGgfY63XTLcWVYc1NKASxnhWwd8EmZ4kKg+S/A4Nk0J50Lnz+IbycSb2SX+lLxQP74Istsvi3H2Mx/eazvlcCbZwopnzzEoN+AzE7Co=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=m3Ax5UlfGE/sKbNuIauIPyDOwgIZKQZ2BPZCKbByaaPN73reBeeeDi0BftGcqF2/fB9bbRkP6AVzpUOlBTX4ie8JfxFG4DrFvbL/zOVhOON0UaNtYhD2Kkhx0EdGu/H2rY6ddXvuqxjzGP3V+qR4SCSG8wCbd9c7/C0DElO/8Eg=
In-reply-to: <4ef5fec60803101847s281f849en191acb5102e5d897@xxxxxxxxxxxxxx>
References: <1da45f2a0803091723i563a98a3tf4aecb00fcbf20cc@xxxxxxxxxxxxxx> <a46699dc0803091805m2d8a1851l9edff27e994ba564@xxxxxxxxxxxxxx> <a45400c30803092237x6ab69804j89aedc22fdb20d3e@xxxxxxxxxxxxxx> <47D5103B.5000408@xxxxxxxxxxxxxxxxxx> <4ef5fec60803101837o55cfcbb3w1f7df02e1b0f3322@xxxxxxxxxxxxxx> <4ef5fec60803101847s281f849en191acb5102e5d897@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Mon, Mar 10, 2008 at 5:47 PM, coderman <coderman@xxxxxxxxx> wrote:
> ...
>  i am referring solely to the auth cookie management

my last comments (to myself :) on this subject for site devs or cookie mungers:

IE since v6 SP1 and firefox 3.x support a 'httponly' cookie option to
prevent scripting access to leak sessions auth.  most web scripting /
libraries already provide this option when sending cookies to the
client.

regarding transparent proxy of SSL/TLS to enforce safe cookie
settings, you have to use a MITM proxy ala webwasher ssl scanner [0].

best regards,

0. Webwasher SSL Scanner
   http://www.cyberguard.com/products/webwasher/webwasher_products/ssl_scanner/index.html

the PKI hijinx required to implement this securely and transparently
is why i called this a pain in the a ss, even if it is the most
effective way to enforce secure only policy.

References:
- Gmail/SSL
  - From: Jonathan Addington
- Re: Gmail/SSL
  - From: John Kimble
- Re: Gmail/SSL
  - From: defcon
- Re: Gmail/SSL
  - From: Mike Cardwell
- Re: Gmail/SSL
  - From: coderman
- Re: Gmail/SSL
  - From: coderman

Prev by Author: Re: Gmail/SSL
Next by Author: Re: I am at my wits end, I cant register for account at digg.com using tor
Previous by thread: Re: Gmail/SSL
Next by thread: Re: Gmail/SSL
Index(es):
- Author
- Thread