security at admin.fulgan.com
Mon Jun 7 07:32:02 GMT 2004
TE> It's possible to hijack an https session, it has been done and it
TE> will be done again:
That PDF is an excellent summary of several key concept in computer
crypto systems: Thank you, I will be re-using it.
What is doesn't contains, however, is anything to back up your own
comment: that HTTPS sessions can, are and will be hijacked.
I've asked another poster to come up with some reference material
before but perhaps my question was a bit too complex in formulation,
so I'll try again:
Do you have reference material that points to a non-trivial way to
hijack an HTTP session between a modern, widely deployed web browser
and a modern, widely deployed web server given the three following
1/ It doesn't rely on the user making the wrong choice.
2/ The server key hasn't been stolen by the attacker in a way that
isn't directly related to the SSL protocol.
I'll remind you that "non-trivial", when speaking about an attack on a
crypto system, excludes solution like exhaustive key space search.
More information about the list