Fix Session Mgmt Jacking

From IIW

Issue/Topic: Prevent Session Jacking

Session: Wednesday 2B

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Sam Curren

Notes-taker(s): Sam Curren


Session Jacking, firesheep, ssl

Discussion notes:

There is a need to prevent session jacking (firesheep) without requiring SSL for all content. We gathered ideas for a solution that would require slight modifications to both Browsers and Servers.

The Goal: Prevent reuse of hijacked session bearer token for a new attacker chosen request.

This is only to prevent session jacking, not man-in-the-middle attacks for any of the other network related attacks.

Key Ideas:

  • Leave session cookie/bearer token as-is
  • Establish a key during initial SSL authentication session.
  • Add a keyed-hash for the request, and transmit alongside session cookie.
  • Server checks keyed-hash, validates from original user.

We think the changes to Browsers and Sites would be minimal, following the establishment and verification of a spec.

Key individuals that will be contacted: Colin Jackson, Adam Barth, Ben Laurie.