You are not logged in. Your edit will be placed in a queue until it is peer reviewed.
We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.
Required fields*
- I was thinking more along the lines that Mallory was seeing non-TLS traffic, such as the initial request to bob.com before Alice started logging in and the connection switches to HTTPS, thus was a passive MitM to collect the session ID and not trigger any TLS warnings, thus once TLS is established, the connection is secure, and only becomes an active attacker once they attempt to connect through the WebSocket.Ghedipunk– Ghedipunk2015-07-30 18:41:47 +00:00Commented Jul 30, 2015 at 18:41
- Thank you, though; that does stress the need to ensure that the Secure and non-Secure session ID cookie doesn't mix, and that the non-Secure session ID never points to an authenticated user. I'm working on implementing TLS and session management in open source WS server software, so while I can most certainly stress the importance of not mixing secure and non-secure session IDs, I can't enforce it on the systems that implement the server, so the eavesdropping is still an issue. I'll update my question.Ghedipunk– Ghedipunk2015-07-30 18:47:22 +00:00Commented Jul 30, 2015 at 18:47
- By the time the user is logging in, the connection should already be encrypted. If it is not, then this would be a problem.TTT– TTT2015-07-30 18:47:56 +00:00Commented Jul 30, 2015 at 18:47
- 1I see what you mean, and I agree with you. You can't associate a session ID with an authenticated user until after the user logs in. And the user can't login until after TLS is established. So, first encrypt, then login, then session ID. This should be safe. If there is a MitM, then no login should happen at all. (In a perfect world where people heed the warnings.)TTT– TTT2015-07-30 18:53:40 +00:00Commented Jul 30, 2015 at 18:53
- I just realized that there is no way to authenticate the HTTPS connection based on session ID alone either, if the session ID is also suspect in the WSS connection. (Or more precisely, verify that Mallory isn't hijacking the session, because any party in a TLS connection can start a brand new connection at any time.) Thus, if the session isn't regenerated on the Web side after logging in (and obviously after starting TLS) but before starting WebSockets, then the WebSocket side can never be securely authenticated.Ghedipunk– Ghedipunk2015-07-30 20:29:09 +00:00Commented Jul 30, 2015 at 20:29
| Show 1 more comment
How to Edit
- Correct minor typos or mistakes
- Clarify meaning without changing it
- Add related resources or links
- Always respect the author’s intent
- Don’t use edits to reply to the author
How to Format
- create code fences with backticks ` or tildes ~ ```
like so
``` - add language identifier to highlight code ```python
def function(foo):
print(foo)
``` - put returns between paragraphs
- for linebreak add 2 spaces at end
- _italic_ or **bold**
- quote by placing > at start of line
- to make links (use https whenever possible) <https://example.com>[example](https://example.com)<a href="https://example.com">example</a>
How to Tag
A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.
- complete the sentence: my question is about...
- use tags that describe things or concepts that are essential, not incidental to your question
- favor using existing popular tags
- read the descriptions that appear below the tag
If your question is primarily about a topic for which you can't find a tag:
- combine multiple words into single-words with hyphens (e.g. web-application), up to a maximum of 35 characters
- creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you