[Cosmo-dev] CMP and AJAX
Matthew Eernisse
mde at osafoundation.org
Wed Sep 20 21:57:36 PDT 2006
A small distinction that might be worth noting -- compromising a session
means an attacker can do Bad Things right then. Compromising the
password means the attacker can do Bad Things at will and at his
leisure, without the user immediately knowing security has been
compromised.
Also since users tend to re-use passwords the attacker could also end up
getting access the the unsuspecting user's online bank account, etc.
I may be going overboard on the paranoia -- but the black eye from
compromised security lasts a long time. Just trying to consider all the
angles.
M.
Brian Moseley wrote:
>>
>> for the record, this is the approach i favor. i am not worried about
>> defending against an attacker with a js shell - if he's already at the
>> keyboard with an in-process cosmo session, he doesn't need to steal
>> the password, cos he's already in ;)
>>
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
>
More information about the cosmo-dev
mailing list