>if you (the original author) really want to beef this up, i suggest doing >a large scale statistical analysis of the session IDs and cookies, >illustrate some predictive properties (ie if its using gettimeofday(), >everyone's favorite seed for their PRNG), and put together some demos. you >may be on to something, as it really does rely on some implicit trust that >the session values are generated randomly. Something along these lines is already underway. Volunteers can upload Netscape-style cookies on http://cookies.lcs.mit.edu/. The cookies are then stored in an SQL database for pattern matching and reverse engineering. Volunteers are welcome to help make the site work for cookies from other browsers such as MSIE and Konquerer. We have plans for HTTPS and HTTP proxies so that volunteers can donate the tastier ephemeral RAM-only cookies too. At the USENIX security symposium, we explained how we broke many insecure authentication schemes including schemes used at WSJ.com, SprintPCS.com, FatBrain.com, highschoolalumni.com, and others. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one. Anyhow, read the tech report and privacy policy on cookies.lcs.mit.edu if you're interested. -------- Kevin E. Fu (fubobat_private) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 13:47:01 PDT