[mdlug] Update on scam protection, take 2
Carl T. Miller
carl at carltm.com
Tue Mar 19 22:11:59 EDT 2024
On 3/19/24 05:17 PM, Jonathan Billings wrote:
> On Mar 19, 2024, at 10:15, Carl T. Miller <carl at carltm.com> wrote:
>> I had heard of something that can surreptitiously allow
>> scammers to hijack sessions, allowing them to login
>> without knowing a user's credentials.
>>
>> This video tells more about it and ways to protect your
>> sessions. Although it is mostly focused on Windows, it's
>> good to be aware of this, especially if you help support
>> family and friends.
> How can we be sure *this* message wasn’t sent from a hijacked session?!?!?! :)
If it was, the guy sure did a great impression of me!
> BTW, what kind of session are you talking about?
>
That would be a website login. Basically whenever you log
into a website, an http session is created and a cookie
contains the identifier. This is good, since you don't have
login again after each time you click on something. But
if someone manages to get a copy of the cookie, they
can go to the website and take over your session, without
needing to log in.
I remember back in the day when it was always recommend
to log out when leaving an encrypted site, but that seemed
pointless at the time. Now it's a good idea, since it will
invalidate the session identified by the cookie, and cookie
theft is happening frequently these days.
c
More information about the mdlug
mailing list