Let's clarify: this was a joke.
And it wasn't.
In a stateless environment are we doing user or entity authentication
with our session token? So are we going to enhance that by doing
dual-factor entity authentication? (SSL + session token...guess we
already are). So add in tri-factor (secret URL hash token)? Is our goal
only to "raise the bar". Or do we add in user-supplied authentication
of some sort? Address state/session management principles?
Lots of questions. Lots of answers. I'm responding to this publicly as
you might not be the only one I confused. And because your response
is the funniest one I've gotten. Thank you,
-----Original Message-----
From:
Sent: Monday, December 20, 2004 11:43 PM
To: arian@anachronic.com
Arian,
I am not sure what the point of your "Cross X Double-Free
Session Riding Turbo Champion Gold" advisory is.
[...] (me neither) [...]
Secondary your mitigation suggestions are entirely
impractical for any production system. (ie. Having the user
supply information on every single page.)
Observant.
Any person subscribed to the security mailing lists are
already following best recommended practices. So you're
advisory is basically "yet another reason why
you should follow best recommended practices."
What planet do you live on? Best practices my ass. But I
get your point: you got no value from my advisory. =)
Furthermore I don't understand how you can critize SecureNet
GmbH's "Session Riding" advisory for "overzealous marketing"
and then proceed to invite media to contact you and you're plan
to release a press release. If "Turbo Champion Gold" isn't marketing
jargon I don't know what is.
You busted me sir. The truth is out. I'm a media wh***.
Now go spike your eggnog and relax.
Arian J. Evans,
Easy to Autodelete,
Uninformed Information Security Opinion at Large,
-and-
Purveyor of Anachrony
http://www.anachronic.com
(Signed pictures of me are available upon request)
