SSL Token Timeout

From: woodylsmo (hparker_at_fbdconsult.com)
Date: 09/30/03


Date: Tue, 30 Sep 2003 05:58:28 -0700


We had an incident where a client contacted our secure web
server and accessed a record via SSL. Our web server is
running IIS 5.0 and it is tied to a SQL2K server for the
database records. This user logged into the secured urs
using HTTPS:\\urlname. Once the user got there account
information, they cut and pasted the entire ssl key from
there IE browser into an Email message that was sent to
the entire company of the user. Once individuals within
the company received the email, they were able to just
click on the link and gain full access to the secured
website and all of the records in the database.

Is there a way to tell SSL to timeout faster, or timeout
once the user leaves the current web page? Can we somehow
prevent cut/copy/paste of the public SSL Key? What is the
default timeout for SSL Keys and how do I change it. I am
not sure how exactly to handle this but I know this has to
be prevented. Can anyone give me some answers.



Relevant Pages

  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.misc)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.ssh)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.unix)
  • Re: ModSSL - Knoppix 3.3
    ... NameVirtualHosts and SSL don't mix. ... This automatically pushes an incorrect http request to the secure host over ... > I create some server key & crt. ...
    (Focus-Linux)
  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)