On 12/20/06, Tony Abernethy <[EMAIL PROTECTED]> wrote: > Robert Potts wrote:
> Probably an easy way to test. If you can transfer the "encrypted" cookie > from one machine to another, this means that the cookies could be easily > harvested and used to access your account without even taking the > trouble to actually impersonate you. > > Methinks it doesn't matter if YOU can decript the cookie, can the bank > decrypt it and thereby know which account to play "open sesame" with? > > Does the bank also ask you for your account#? If I'm reading this right, the bank asks an extra question if it can't find the cookie its looking for. It doesn't simply let anyone through if they have possession of this one cookie. I don't think this is really a hole, it's just smoke and mirrors. _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
