On Thu, 30 Aug 2001, Norman Cook wrote: > This is an Automatic process for ID generation that I rather random > ... so theoretically (as MS always likes to put it) yes, they could > steal a Session ID, but you would have to guess it first, and that > would be akin to attempting to hijack a TCP/IP session using a guessed > TCP/IP sequence number. ... and thats hard! <smirk> http://razor.bindview.com/publish/papers/tcpseq.html http://www.cert.org/advisories/CA-2001-09.html if you (the original author) really want to beef this up, i suggest doing a large scale statistical analysis of the session IDs and cookies, illustrate some predictive properties (ie if its using gettimeofday(), everyone's favorite seed for their PRNG), and put together some demos. you may be on to something, as it really does rely on some implicit trust that the session values are generated randomly. predictive cookie values are nothing new. :) hope this helps, ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 12:51:30 PDT