- From: Nico Williams <nico@cryptonector.com>
- Date: Tue, 7 Jun 2011 18:09:34 -0500
- To: Ben Adida <ben@adida.net>
- Cc: "William J. Mills" <wmills@yahoo-inc.com>, "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On Tue, Jun 7, 2011 at 6:00 PM, Ben Adida <ben@adida.net> wrote: > On 6/7/11 3:57 PM, Nico Williams wrote: >> >> Not if the MAC doesn't protect enough of the request _and_ response to >> prevent active attacks. Unless you don't care about those attacks >> (which some of you have indicated), in which case why bother with the >> MAC at all? > > A passive attacker can sniff your cookie and thus hijack your session. All > you need to accomplish that attack is connect to any open wifi network and > use Firesheep. It's a good bit harder to be an active attacker, even on an > open wireless network. Yes, but only for resources that you've already stated you don't care about. If you cared about those resources you'd protect more of the request _and_ response, or you'd use TLS. But you don't want to protect the response and you don't want to use TLS and you don't even want to protect the request body. What you're proposing adds a very marginal degree of security that will be trivial to defeat on open wifi (particularly once the toolset for doing it gets published). Are we serious about security? Or it this just for show? Or am I missing something? Nico --
Received on Tuesday, 7 June 2011 23:09:57 UTC