- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 27 Jan 2009 15:46:51 +1300
- To: Adam Barth <w3c@adambarth.com>
- CC: ietf-http-wg@w3.org
Adam Barth wrote: > On Mon, Jan 26, 2009 at 5:34 PM, Adrien de Croy <adrien@qbik.com> wrote: > >> Adam Barth wrote: >> >>> It is impossible to secure all the users who visit your Web site. You >>> cannot secure users with IE5 or Firefox 1.0, for example. Moreover, >>> the header provides incremental value while it is being deployed. >>> >> Do you have any more information on this you could refer me to? I find it >> hard to believe that there can be no security scheme which would be >> browser-independent. >> > > These browsers are no longer maintained by their vendors. Whenever > you see a vulnerability patched for IE7 or Firefox 3, there is a good > chance that vulnerability also exists in IE5 or Firefox 1.0. In the > context of this discussion, that means the "secret" tokens you rely > upon for CSRF protection are not secret, and the attacker is free to > mount a CSRF attack against your site. > > I was referring to a secure system that does not rely on secrecy, since we all know that secrecy is not security. E.g. some sort of random token + hashing, where you pass a token to the browser, it does something to it (e.g. in script), and passes the result back. one that can't be forged, and can't be replayed Regards Adrien > Adam > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 27 January 2009 02:44:45 UTC