[Seaside-dev] RE: Rekeying Sessions
James Robertson
jrobertson at cincom.com
Fri Mar 20 16:58:00 UTC 2009
You don't need to peer over someone's shoulder. All you really need
is a half decent camera. Enough people take photos everywhere now
that it would be hard to notice. Is that a real threat? Probably
not, but it's theoretically possible.
James Robertson
Cincom Smalltalk Product Evangelist
http://www.cincomsmalltalk.com/blog/blogView
Talk Small and Carry a Big Class Library
On Mar 19, 2009, at 2:40 AM, Philippe Marschall wrote:
> 2009/3/18 Boris Popov <boris at deepcovelabs.com>:
>> Yes, there are two ways why they say it's a risk,
>>
>> - people tend to copy-paste URLs from address bar when they want to
>> share them with other folks for legitimate reasons; when done
>> within an office behind a common firewall, session protector won't
>> stop users from unintentionally accessing each other's sessions in
>> this scenario
>>
>> - a more sinister angle is someone simply looking over user's
>> shoulder and typing the same address in their browser; again, if
>> done within the same internet café then attacker won't be stopped
>> by a session protector
>
> And retyping the session and continuation key? Yeah right, I can
> totally see that happening, "Uhm, excuse me for a second, could you
> move your head away for a second? I can not see whether that is a I or
> l in your session key there."
>
> Philippe
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
More information about the seaside-dev
mailing list