Prev: Associative hash function
Next: Practical applications still using DES
From: Maaartin on 15 Apr 2010 18:01
On Apr 15, 10:17 pm, Paul Rubin <no.em...(a)nospam.invalid> wrote:
> "balzer" <nos...(a)news.eternal-september.org> writes:
> > Some sites are HTTPS only when log in, after login, they become HTTP,
> > and become HTTPS only when log off. (Yahoo mail for example, etc)
> > What are the chances that session can be intercepted  and sidejacked
> > and traffic content recorded, especially as I know this danger really
> > exists,
>
> You can set the cookie to only be sent over https.  I don't know whether
> yahoo actually does that.

But this would mean, that there'd be no cookie for normal work without
https. It could work only based on IP only, which could work or not.
And there'd be no authentication for sending and receiving emails,
quite strange, isn't it?
From: Paul Rubin on 15 Apr 2010 22:19
Maaartin <grajcar1(a)seznam.cz> writes:
>> You can set the cookie to only be sent over https.  I don't know whether
>> yahoo actually does that.
>
> But this would mean, that there'd be no cookie for normal work without
> https. It could work only based on IP only, which could work or not.
> And there'd be no authentication for sending and receiving emails,
> quite strange, isn't it?

They could make it so that clicking from one message to the next goes
through https, or something like that. Or since they don't encrypt the
traffic, they might not care about authenticating it past the initial
login. They encrypt the login to stop your permanent password from
being intercepted and used elsewhere at an arbitrary later time, but
they may not consider it such a problem if a 1-hour session token gets
intercepted.
First  |  Prev  | 
Pages: 1 2
Prev: Associative hash function
Next: Practical applications still using DES