Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Date: Tue, 16 Apr 2013 10:11:36 -0400
- Subject: Re: Cookie Invalidation Problem
- From: AWS Security <aws-security@amazon.com>
- Sender: "Jackson, Matthew" <mjack@amazon.com>
- To: Craig Young
- CC: AWS Security <aws-security@amazon.com>
- Message-ID: <CD92D25E.16782%mjack@amazon.com>
- Thread-Topic: Cookie Invalidation Problem
- In-Reply-To: <CD8C2A33.15D8B%mjack@amazon.com>
- MIME-Version: 1.0
- Content-Type: multipart/alternative; boundary="B_3448951899_14425343"
- --B_3448951899_14425343
- Content-Type: text/plain; charset="US-ASCII"
- Content-Transfer-Encoding: 7bit
- Hi Craig,
- Thank you for reporting this issue to the Amazon Web Services (AWS) Security
- Group. We take all reports of security issues seriously and thank you for
- sending it to us. Our investigation shows that this is currently working as
- designed however we are always looking for new opportunities to serve our
- customers better.
- Please note that the data stored in AWS's authentication cookies are not
- valid indefinitely (regardless of the expiration date on the HTTP Cookie
- header), and therefore captured cookies do not allow permanent access to
- customer accounts. Further, if malware compromises a browser being used to
- access the AWS Management Console, it can already surreptitiously perform
- actions under the customer's identity and can block the logout function. The
- ability to steal limited-lifetime authentication cookies does not present a
- particularly greater attack surface.
- We encourage customers concerned about the locations used for administrative
- access to AWS to use IAM users configured with least privilege, and to
- optionally restrict the source IP address from which those users can
- interact with AWS. This would further mitigate the risk of an authentication
- cookie being stolen from a customer browser and used from a different
- location.
- We hope this addresses your reported issue, and thank you again for
- contacting AWS Security!
- Sincerely,
- Matt
- AWS Security
- https://aws.amazon.com/security
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement