user870283
Reputation:
SSL and Session Hijacking/Fixation
Quick question. Does SSL totally prevent session hijacking/fixation? Thanks.
Upvotes: 2
Views: 849
Answers (1)
Emil Vikström
Reputation: 91983
No. Hijacking may be done for example in these scenarios:
- Hacked CA root signs invalid certificates. The certificate may be used to stage man-in-the-middle attacks.
- Hacked domain owner e-mail inbox makes it possible for the hacker to buy a domain-validated certificate.
- Bad key policies may make it possible for an attacker to gain the private key for the certificate.
- A local attack on the client computer may make it possible to see what's going on in the system, including reading session cookies, intercepting SSL traffic, injecting false CA root certificates in the systems keychain and so on.
- An intrusion by an attacker on the server may be used in any number of ways to intercept traffic, reroute packets or read important system files.
- The client library must validate the SSL certificate and deny sessions with invalid or expired certificates, otherwise it's as trivial to intercept the HTTP traffic as if it where in plain text.
- It may be possible with an XSS attack which gives the cookie away. Web browsers should try to protect against this but you never know if all components works as expected.
Upvotes: 4
Related Questions
- PHP Session Fixation / Hijacking
- Session_start Security
- Securing session and cookies
- Understand & fix php session lost between https and http
- Switching between HTTP and HTTPS pages with secure session-cookie
- Prevent session cookie hijacking WITHOUT SSL
- HTTPS session cookie and post security with PHP
- Security concern when I transfer cookie session from HTTPS to HTTP
- Secure cookies in PHP sessions
- secure sessions/cookies in php