[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl]cu|| R: [iaik-jce] Is my session protected when I use HTTPS protocol?



Hi Luca,

first of all, some colleague of mine remembers distantly that a HttpSession
actually was cracked, but with so considerable an effort that he regards it
as pretty safe.

The thoughts that led me to the last remark in my posting were related to
typical security philosophy, since I don't know your security requirements.
It is sometimes difficult to decide whether an information is stored
securely or not. In my company we have some people doing full-fledged
concepts on security issues. To summarize it, if some data is stored
"securely" depends on two factors: the sensitiveness of the data (i.e. the
threat it poses to your business if it is exploited by an unprivileged
third party) and the technical/organizational measures that have been taken
to secure it. For instance, data of vital importance may even need
additional security measures against fairly theoretical threats like the
well-known Man-in-the-Middle attack, whereas less important data would
actually go by without additional measures. It's a risk versus
countermeasure tradeoff; the higher the risk, the stronger you have to act
to cope with it.

Regards,
Stefan Knopp
CSC, Germany.

----- Forwarded by Stefan Knopp/PLZ/CSC on 09.09.2002 08:36 -----
                                                                                                                   
                    "Luca                                                                                          
                    Ventura"             To:     "Stefan Knopp" <sknopp@cscploenzke.de>                            
                    <luca_vent           cc:                                                                       
                    @virgilio.it>        Subject:     R: [iaik-jce] Is my session protected when I use HTTPS       
                                         protocol?                                                                 
                    07.09.2002                                                                                     
                    20:27                                                                                          
                                                                                                                   
                                                                                                                   




Yes,

I want to store information in a serverside HttpSession object and I would
be sure it is
protected. You said that this information "is stored beyond the
serverside end of the transport channel (typically in server memory)". If
this is true how
can someone access to it if he can't get the session-id? In fact the
session-id is sent from the client to the server using cookies or
url-rewriting, but in any case this information is crypted if I use SSL and
no one can read it? Am I right?

Thanks a lot!

                   Luca

-----Messaggio originale-----
Da: iaik-jce-owner@iaik.at [mailto:iaik-jce-owner@iaik.at]Per conto di
Stefan Knopp
Inviato: venerdi 6 settembre 2002 21.05
A: iaik-ssl; iaik-jce
Oggetto: [iaik-jce] Is my session protected when I use HTTPS protocol?


Hi Luca,

SSL provides a transport encryption mechanism. So everything you send over
SSL is protected by the protocol. Yet, if you talk about "storing
information in your session", I get the idea you have some data like credit
card numbers stored e.g. in a serverside HttpSession object. Clearly, this
information is NOT encrypted by SSL, since it is stored beyond the
serverside end of the transport channel (typically in server memory). If
you wish to additionally secure this information, you have to do this on
your own.

Regards,
Stefan Knopp
CSC, Germany.

----- Forwarded by Stefan Knopp/PLZ/CSC on 06.09.2002 20:44 -----

                    "Luca
                    Ventura"             To:     "iaik-ssl"
<iaik-ssl@iaik.at>, "iaik-jce" <iaik-jce@iaik.at>
                    <luca_vent           cc:
                    @virgilio.it>        Subject:     [iaik-jce] Is my
session protected when I use HTTPS
                    Sent by:             protocol?
                    iaik-jce-owne
                    r


                    06.09.2002
                    16:35






Hello everybody!

I have a doubt: is all the information I store in my session  protected
when
I use SSL or HTTPS protocol to send data?
I mean...if I put important information in the user's session (such as the
passwords and the credit card's nummbers) am I sure
they are crypted together with all other data I send? Or in any case the
information I put in the user's session is sent in clear text?

I hope someone can help me on this topic.

Thanks in advance!

                   Luca

--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce



--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce




--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl