OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

Rich Salz scripsit:

> I'm not sure what you mean by replay attack.  What packets (HTTP 
> requests) is the adversary replaying?  If the initial login form is 
> protected by SSL, than there's nothing to steal for future replay. (If 
> your adversary can crack SSL/TLS, it's safe to assume they're going to 
> go after bigger fish than you might be. :)

Fair enough.  I was actually thinking of a man-in-the-middle attack or
equivalent, where the first time you send the cookie in the clear, I capture
it and send my own content with the same cookie.  The server thinks I am you.
You are quite right that this has less long-term exposure than HTTP basic,
but HTTP digest is better than either (deployment difficulties aside).

I don't see why embedding a capability in the URL is un-RESTy, though.
Every resource has a stable URL still; it's just that publishing certain
URLs becomes a Bad Thing.

John Cowan          http://www.ccil.org/~cowan        jcowan@reutershealth.com
To say that Bilbo's breath was taken away is no description at all.  There are
no words left to express his staggerment, since Men changed the language that
they learned of elves in the days when all the world was wonderful. --The Hobbit


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS