- From: David W. Morris <dwm@shell.portal.com>
- Date: Fri, 14 Jun 1996 15:31:51 -0700 (PDT)
- To: Dave Kristol <dmk@allegra.att.com>
- Cc: marc@ckm.ucsf.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Fri, 14 Jun 1996, Dave Kristol wrote: > "Marc Salomon" <marc@ckm.ucsf.edu> wrote: > > Would this still be the case if the domain issuing the cookie were required to > > be included amongst the multiple domains in the cookie? If the cookie were > No. An adversary could simply add itself to the list of Domains it > intercepts. A subsequent visit to the adversary's site would disclose > the Cookie. I must be missing something ... if the MITM adds to the domains associated with a cookie, haven't they ALREADY intercepted the cookies so what does it matter if the cookie is provided on a future link to the MITM's domain? I think the exposure would be that an adversary site would generate a cookie which applied to itself and to an under attack domain. Later the bogus cookie would be sent to the attacked domain possibly causing invalid results. Some form of expanded domain partnerships might work (in the future) if both partners expressed the identity relationship to the client. Even then the MITM might be able to fake things. Dave Morris
Received on Friday, 14 June 1996 15:35:52 UTC