On Thu, Jul 11, 2013 at 1:58 PM, Nico Williams <n...@cryptonector.com>wrote:
> > At any rate, I don't think we should do anything to exclude channel > bound cookies (at least not yet, not without much more discussion as > to why) as a candidate session continuation protocol. I have given > reasons why I think it shouldn't be the only candidate at this time, > That's fair, but I do think ChannelID sets a high standard. It's clear, simple and can strongly protect cookies. The proposals from this WG seem much more complicated [1,2], and it's hard to tell whether they resist attacks such as: - Session forcing, where a MITM attacker transfer a session to the victim client, thus logging the victim into the attacker's account. - Session stealing, where an attacker observes or receives a victim client's request, and then makes the same request himself (perhaps just replaying it, perhaps modifying it). Trevor [1] http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00 [2] http://tools.ietf.org/html/draft-hallambaker-httpsession-01
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec