Home page logo
/

basics logo Security Basics mailing list archives

Re: Newbie HTTPS/SSL question
From: jamesworld () intelligencia com
Date: Thu, 11 Dec 2003 13:14:40 -0600

Darragh,

You allude to the answer to your question in your question:  session
Do a google search on http session state and get an understanding of that, then look at https session states.
Take a look at:
http://jan.netcomp.monash.edu.au/ecommerce/session.html

for a real brief, clean look at what happens under the hood.

Short answer:  no  :-)

Session keys are supposed to be unique. If not, you'd have a huge replay attack problem.

great question. it shows that you are actually thinking about the inner workings. Keep up the questions, both internal and to the list.

-James

At 07:21 12/11/2003, Darragh O'Brien wrote:
Hi,

Is it possible to tie a web page to a particular HTTPS session
so that when requested it is always sent back encrypted with
the server key associated with that session? That way, guessing
the URL of a dynamically created page would not be enough
since we don't have the client key to decrypt it?

Or am I talking nonsense!?

Thanks,
Darragh

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault