Re: SSL VPNs and security

On 8 Jun 2006 at 22:48, Michal Zalewski wrote:

"Web VPN" or "SSL VPN" is a term used to denote methods for accessing
company's internal applications with a bare WWW browser, with the use of
browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
no additional software or configuration is required, and hence, corporate
users can use pretty much any computer they can put their hands on.

- Application cookies set by other applications. If passed to the
browser (as some SSL VPNs do), these cookies are separated by the use
of "path" parameter alone, which does not necessarily establish a
browser security domain boundary. This is equivalent to the attacker
obtaining user credentials to these applications.

Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed discussion in
"Path Insecurity":