Thoughts from webmail session stealing

August 6, 2007 at 7:54 pm 1 comment

Much has been written about how Rob Graham was easily able to steal session ID cookies to hijack a person’s Gmail account at the Black Hat conference. Examples of coverage include this article in The Register and this one in tgdaily.

The hijack is possible despite the actual authentication exchange itself being protected by SSL. Any website that does not protect post-authentication exchanges with SSL or some other appropriate mechanism is similarly at risk.

According to The Regiser article, Rob went on to say, “Web 2.0 is now fundamentally broken.” Uh…not quite.

However, this incident raised two thoughts:

1. Further along the lines of a post by Conor Cahill, it once again highlighted how authentication needs to be complemented by other security measures to make online transactions as a whole safe.

Sometimes there is too much focus on getting authentication right and not enough on other security measures. Authentication is no silver bullet, just one of the important bits.

2. In an inter-connected system, failure of one part can lead to a perception of failure of other parts and the system as a whole.

For example, imagine that the authentication to Gmail was external, say via an IdP (Identity Provider). In that case, the failure of Gmail post-authentication may give rise to a perception of a security failure by the IdP.

At a system level, it also gives people one more reason to be nervous about transacting online. This is particularly acute in federated systems.

While people who understand exactly what happened will tend to dismiss perceptions as ignorance, I think the perception of security is as important as the reality. This makes it vital for IdPs, for the sake of their own reputation, to care how a SP (Service Provider) interacts with its customers even though the IdP is not a party to that transaction.


Entry filed under: authentication, fraud, identity, personal_info, privacy, security, strategy, trust, Web_2.0.

UK: Internet voting trials and tribulations The ugly side of Web 2.0

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: