Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Hijacking

 
Isuru Samaraweera
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
Can somebody explain if there is relationship between encrypting the transport layer and session hijacking?

Does encrypting transport layer eliminate the vulnerability to session hijacking?

Thanks,
Isuru
 
Rahul Shar
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Security at transport layer can be achieved by SSL/TLS which encrypts data between client and server. I think, session hijacking is not possible if data is encrypted. It completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.

Thanks
Rahul
 
Isuru Samaraweera
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rahul,
Thanks for the reply and it makes sense.

How about Denial of service attacks?Are you aware of any kind of DOS attack conducted simply because transport layer is not encrypted?

Or

Is it fair to say "Encrypting the transport layer prevents DOS attacks" ? Or there is no relationship at all.

Please explain

Thanks,
Isuru
 
Mike Degteariov
Ranch Hand
Posts: 145
8
Java Mac MySQL Database Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I created a thread with a link to the document I made with some useful information about security attacks.
In particular, this doc contains an answer to your question about session hijacking.
Thread name is Security Attack Summary is just two lines ahead of your thread, and so it is still on the first page of the OCMJEA forum.
I wonder if you had a chance to look into it.
 
efthymia armanidi
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

First of all i believe that there is no definite action to take regarding any security issue.

However, i think that TLS could possibly protect us from man in the middle and denial of service.
With two-way SSL (SSL with client authentication), the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.(http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm).
So if we configure ssl appropriately(i.e. two way SSL) we can be protected by DOS attacks, because client would be trusted.
Session hijacking is not negated only by SSL, because as Rahul stated, it could still be possible to perform some other kind of session hijack(i.e cookie or url rewriting).

//BR
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic