Posted by Gordon Burditt on 06/14/07 04:29

>> No, short of SSL, there is no safe solution. Anyone anywhere between
>> the client and the server can intercept the data and use it for whatever
>> reason. Of course, because there's no guarantee as to what route a
>> packet will follow, the most likely places to intercept the packets is
>> on either end.
>>
>> But then that's why SSL was invented.
>>
>
>Okay, let have some constraints, say you can use SSL during login, but
>you can't use SSL for data transmission afterward, so it is possible?
>(similar to yahoo or gmail)

SSL isn't 100% safe, either. I could guess the key on the first
try. (VERY unlikely!) I could also guess a 8K-bit session cookie
on the first try. In the case of the session cookie, there's
sniffing it off the wire, session fixation, and a bunch of other
attacks after you've left the SSL session.

[Back to original message]