undefined | Better HN

0 pointsdylan6044y ago0 comments

>If

That's are really big word in that sentence. You have NO idea, like 0, what is stored in an encrypted cookie. To even think you do is just pure folly.

0 comments

2 comments · 2 top-level

vntok4y ago

This is a very simplistic way of looking at things. A lot of the times in security, having an idea of what's not in there can be almost as valuable as having an idea of what's in there.

I will provide a very simple counterpoint to your argument: say I log in, log out and log in again, dumping my two encrypted session cookies in between. If they are perfectly identical, then knowing nothing else about the environment nor the encryption used, I already know that there's no timestamp value in the cookie acting as a time barrier, nor a challenge-response check, nor a nonce value.

Knowing that, I can focus my attention on stealing session cookies from users for trying replay attacks.

recursive4y ago

I do have ideas. I can strengthen them by reverse-engineering the behavior using my own account. I participate in follies regularly, so that's not a strong disincentive for me.

j / k navigate · click thread line to collapse