Support session encryption

Implement session encryption.
author: kkadosh 2018-05-29 19:34:16 +0000
committer: jvoisin 2018-05-29 19:34:16 +0000
commit: 7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree: 560e43918d1dc36ce4cf760a5b27aed0c563bc1c /doc/source/features.rst
parent: 9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)
1 files changed, 3 insertions, 6 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 24c5074..08ad3d4 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -63,8 +63,8 @@ Examples of related vulnerabilities
 .. _cookie-encryption-feature:
-Session-cookie stealing via XSS
+Cookie stealing via XSS
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^
 The goto payload for XSS is often to steal cookies.
 Like *Suhosin*, we are encrypting the cookies with a secret key,
@@ -79,10 +79,7 @@ This feature is roughly the same than the `Suhosin one <https://suhosin.org/stor
 Having a secret server-side key will prevent anyone (even the user himself)
 from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side.
-The encryption is done via the `tweetnacl library <https://tweetnacl.cr.yp.to/>`_,
-thus using curve25519, xsalsa20 and poly1305 for the encryption. We chose this
-library because of its portability, simplicity and reduced size (a single `.h` and
-`.c` file.).
 .. _fileupload-feature:
author	kkadosh	2018-05-29 19:34:16 +0000
committer	jvoisin	2018-05-29 19:34:16 +0000
commit	7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree	560e43918d1dc36ce4cf760a5b27aed0c563bc1c /doc/source/features.rst
parent	9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index 24c5074..08ad3d4 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -63,8 +63,8 @@ Examples of related vulnerabilities
63		63
64	.. _cookie-encryption-feature:	64	.. _cookie-encryption-feature:
65		65
66	Session-cookie stealing via XSS	66	Cookie stealing via XSS
67	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^	67	^^^^^^^^^^^^^^^^^^^^^^^
68		68
69	The goto payload for XSS is often to steal cookies.	69	The goto payload for XSS is often to steal cookies.
70	Like Suhosin, we are encrypting the cookies with a secret key,	70	Like Suhosin, we are encrypting the cookies with a secret key,
@@ -79,10 +79,7 @@ This feature is roughly the same than the `Suhosin one <https://suhosin.org/stor
79	Having a secret server-side key will prevent anyone (even the user himself)	79	Having a secret server-side key will prevent anyone (even the user himself)
80	from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side.	80	from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side.
81		81
82	The encryption is done via the `tweetnacl library <https://tweetnacl.cr.yp.to/>`_,	82
83	thus using curve25519, xsalsa20 and poly1305 for the encryption. We chose this
84	library because of its portability, simplicity and reduced size (a single `.h` and
85	`.c` file.).
86		83
87		84
88	.. _fileupload-feature:	85	.. _fileupload-feature: