RE: Offical secrets act
I'm sure they'll be sent through the post unencrypted well before then.
9 posts • joined 13 Jun 2007
If you have to resort to this, then you're in a failed relationship. Even if you find out your other half isn't getting their end away elsewhere, you have serious trust issues which need resolving.
Taking a different tact: most of the readers of El Reg are against the powers that be monitoring us, so unless we're hypocrites, we're hardly going to condone the covert surveillance of our loved ones by those that are supposed to trust them!
There are many sites out there (I would list any where credentials are handed over SSL and then passed back through unencrypted channels) where this attack vector would exist ... and it's certainly not new. This has been around for many, many years.
Personally I use more than the session id for authentication where I can on repeat requests (specifically the remote IP address), but with the more prevalent use of NAT in large offices and on open WIFI networks (and the potential harder angle of spoofing) this has become less effective. Roll on IPv6!
I have been a long time advocate for anything where you need to login (and want to ensure your account is safe) being executed over SSL for the entirety of the visit.
Biting the hand that feeds IT © 1998–2020