Elie Bursztein
Citation
Elie Bursztein. "SessionJuggler: Secure Login From an Untrusted Terminal Using Session Hijacking". Talk or presentation, 10, November, 2010.
Abstract
We show that session hijacking can have positive applications, in particular, it can help with secure login from an untrusted terminal. While there are many proposals for securing a login from an untrusted terminal, they all require either server-side changes or client-side changes. In this paper we explore a new web user authentication mechanism called SessionJuggler that enables user login without ever entering a long-term credential on the insecure terminal.
SessionJuggler requires no server-side changes and assumes no special software on the client beyond a modern web browser. Roughly speaking, with SessionJuggler users log in to a web site using a modified smartphone browser and then transfer the entire session, including cookies and all other session state, to the terminal. The challenge is to ensure that this transfer—which looks like session hijacking—does not cause the web site to invalidate the session. We survey session hijacking defenses used by popular sites and explain how SessionJuggler bypasses all these defenses. Beyond session migration, SessionJuggler also provides a trusted logout mechanism where the trusted phone is used to terminate the session.
Electronic downloads
- 9%20-%20Burzstein%20%28Stanford%29.pdf · application/nappdf · 10412 kbytes
| Citation formats |
- HTML
Elie Bursztein. <a href="http://www.truststc.org/pubs/763.html" ><i>SessionJuggler: Secure Login From an Untrusted Terminal Using Session Hijacking</i></a>, Talk or presentation, 10, November, 2010.
- Plain text
Elie Bursztein. "SessionJuggler: Secure Login From an Untrusted Terminal Using Session Hijacking". Talk or presentation, 10, November, 2010.
- BibTeX
@presentation{Bursztein10_SessionJugglerSecureLoginFromUntrustedTerminalUsing, author = {Elie Bursztein}, title = {SessionJuggler: Secure Login From an Untrusted Terminal Using Session Hijacking}, day = {10}, month = {November}, year = {2010}, abstract = {We show that session hijacking can have positive applications, in particular, it can help with secure login from an untrusted terminal. While there are many proposals for securing a login from an untrusted terminal, they all require either server-side changes or client-side changes. In this paper we explore a new web user authentication mechanism called SessionJuggler that enables user login without ever entering a long-term credential on the insecure terminal. SessionJuggler requires no server-side changes and assumes no special software on the client beyond a modern web browser. Roughly speaking, with SessionJuggler users log in to a web site using a modified smartphone browser and then transfer the entire session, including cookies and all other session state, to the terminal. The challenge is to ensure that this transfer—which looks like session hijacking—does not cause the web site to invalidate the session. We survey session hijacking defenses used by popular sites and explain how SessionJuggler bypasses all these defenses. Beyond session migration, SessionJuggler also provides a trusted logout mechanism where the trusted phone is used to terminate the session.}, URL = {http://www.truststc.org/pubs/763.html} }
Posted by Larry Rohrbough on 7 Dec 2010.
Groups: trust
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.