On Wed, Jul 10, 2013 at 5:39 PM, Nico Williams n...@cryptonector.comwrote:
Also: despite mentioning a few proposals, there's no mention of
ChannelID /
Channel-bound cookies [3].
ChannelID seems to solve these problems, seems more polished than other
proposals, and apparently is being
On Jul 11, 2013, at 12:32 AM, Trevor Perrin
tr...@trevp.netmailto:tr...@trevp.net wrote:
ChannelID seems to solve these problems, seems more polished than other
proposals, and apparently is being experimentally deployed (see Chrome |
Preferences | Cookies and site data |
On Thu, Jul 11, 2013 at 5:50 AM, Yoav Nir y...@checkpoint.com wrote:
On Jul 11, 2013, at 12:32 AM, Trevor Perrin tr...@trevp.net wrote:
ChannelID seems to solve these problems, seems more polished than other
proposals, and apparently is being experimentally deployed (see Chrome |
On Jul 11, 2013, at 7:51 PM, Trevor Perrin
tr...@trevp.netmailto:tr...@trevp.net wrote:
But even if we restrict our solution to HTTPS, I don't see how ChannelID helps
a problem like the BEAST and CRIME attacks. In both cases, the issue is the
scoping of cookie use. An attacker's web page or
On 07/11/2013 02:41 PM, Yoav Nir wrote:
* GET /maingage.html?button=shutdown caused the firewall to power-off.
* GET /mainpage.html?button=unload caused the firewall to unload
policy, so that it didn't enforce policy or do IPsec or anything a router
wouldn't do.
So I
On Thu, Jul 11, 2013 at 1:58 PM, Nico Williams n...@cryptonector.comwrote:
At any rate, I don't think we should do anything to exclude channel
bound cookies (at least not yet, not without much more discussion as
to why) as a candidate session continuation protocol. I have given
reasons why
On Sun, Jul 7, 2013 at 10:37 PM, Yoav Nir y...@checkpoint.com wrote:
Hi all
This has been submitted with a websec filename, but note that this is not
(yet) on our charter.
At the Orlando meeting, we discussed some of the security issues with
keeping HTTP sessions using cookies. There was