-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mitchell,
Fisher, Mitchell L wrote:
>> Without SSL, though, remember that anyone who is capable of hijacking
>> the session is probably also capable of sniffing your users'
>> credentials. What are the implications of that? If it is unacceptable
> to
> Without SSL, though, remember that anyone who is capable of hijacking
> the session is probably also capable of sniffing your users'
> credentials. What are the implications of that? If it is unacceptable
to
> have your credentials go over the network in cleartext, then you will
> simply have to
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John,
John Caron wrote:
We plan on using SSL to do the initial authentication, but then use
session ids without SSL for the data transfer.
Okay, thanks for clarifying that. This is definitely a good thing to do,
and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Gainty wrote:
> SE seems definitely O/T
This is not off-topic.
> so please email me offline on this topic of Social Engineering
This is not a question about social engineering.
> Perhaps this is a project which the government never
e le reproduire.
- Original Message -
From: "John Caron" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Monday, January 29, 2007 3:17 PM
Subject: Re: session hijacking again
Hi Peter:
Peter Stavrinides wrote:
Do you use Java?
yes
We are a financial inst
riginal Message -
From: "John Caron" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Monday, January 29, 2007 3:17 PM
Subject: Re: session hijacking again
> Hi Peter:
>
> Peter Stavrinides wrote:
>> Do you use Java?
>
> yes
>
>&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John,
John Caron wrote:
> We plan on using SSL to do the initial authentication, but then use
> session ids without SSL for the data transfer.
Okay, thanks for clarifying that. This is definitely a good thing to do,
and it appears that session hijack
Hi Peter:
Peter Stavrinides wrote:
Do you use Java?
yes
We are a financial institution, we use a Java Framework based on
servlets with SSL, but if you ask my opinion SSL is not the big issue.
The vast majority of hacked sites are social engineering attacks. Secure
your database (do not s
Hi Christopher:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John,
John Caron wrote:
Our application is serving large amounts of scientific data over HTTP.
The user needs to login to access the data. We would like to use session
ids to reduce the login overhead. W
Do you use Java?
We are a financial institution, we use a Java Framework based on
servlets with SSL, but if you ask my opinion SSL is not the big issue.
The vast majority of hacked sites are social engineering attacks. Secure
your database (do not store clear text passwords in the database)
m
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John,
John Caron wrote:
> Our application is serving large amounts of scientific data over HTTP.
> The user needs to login to access the data. We would like to use session
> ids to reduce the login overhead. We cant afford the overhead of HTTPS
> encr
11 matches
Mail list logo
