[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Defeat Exit Node Sniffing?
From: Martin Fick <mogulguy@xxxxxxxxx>
Date: Mon, 3 Mar 2008 15:17:04 -0800 (PST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 03 Mar 2008 18:17:12 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Sewn0DW4rEf8aWL9zoehrGdxUnpgk3Hk3Gl82mdc6kZGE8kg8wDqqd7QTt9mbTpNOQQRIpkcDHfj12AtFKCU3NjoX6VihoTuJjoM3i9x2O4h+qT1cN+J/SJ5xZXvATW2fk9cl9E/SDt9bCb94uqr2mgyqOx8faBodUA6MmdQg14=;
In-reply-to: <4ef5fec60803031502y539d17c3sfe62622f8eae9e03@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

--- coderman <coderman@xxxxxxxxx> wrote:
> with a rogue exit node you also need to be aware of
> intentional injection of http://.  since google does

> not bind authenticated session cookies to ssl only 
> (secure only flag) you need to mitigate this
yourself. 
> otherwise, a single http://...google.com/ will
expose
> your session cookie and permit session hijacking.

How is it going to inject anything into an https
stream?

-Martin



      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

References:
- Re: Defeat Exit Node Sniffing?
  - From: coderman

Prev by Author: Re: Defeat Exit Node Sniffing?
Next by Author: Re: [ANN] Vidalia and Mixminion repository for ubuntu
Previous by thread: Re: Defeat Exit Node Sniffing?
Next by thread: Re: Defeat Exit Node Sniffing?
Index(es):
- Author
- Thread