- From: Ben Adida <ben@adida.net>
- Date: Tue, 07 Jun 2011 16:00:06 -0700
- To: Nico Williams <nico@cryptonector.com>
- CC: "William J. Mills" <wmills@yahoo-inc.com>, "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On 6/7/11 3:57 PM, Nico Williams wrote: > Not if the MAC doesn't protect enough of the request _and_ response to > prevent active attacks. Unless you don't care about those attacks > (which some of you have indicated), in which case why bother with the > MAC at all? A passive attacker can sniff your cookie and thus hijack your session. All you need to accomplish that attack is connect to any open wifi network and use Firesheep. It's a good bit harder to be an active attacker, even on an open wireless network. So there is a difference between passive and active network attackers in terms of feasibility, and MAC cookies limit the scope of what passive attacker can do. -Ben
Received on Tuesday, 7 June 2011 23:00:45 UTC