[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Defeat Exit Node Sniffing?
> i also learned, that by using a cookie editor, you cannot force a cookie
> to be sent over an encrypted connection.
Which cookie editor(s) did you try? I use Add 'n' Edit Cookies, a Firefox
plugin. It offers a radio button to turn the Secure attribute on or off, but
I have not tested it to see if turning Secure on really works as it should.
If you tested it and it didn't work, that would seem like a bug in Add 'n'
Edit Cookies that the maintainer would want to know about.
It seems like it should be relatively easy to make a Firefox plugin that
always rewrites the Set-Cookie headers of incoming HTTP responses to have
the Secure attribute, so that Firefox thinks the server set them that way. I
have never written a Firefox plugin, though, so maybe it's hard. Dunno.
> ultimately, i would recommend turning off cookies all together. if you
> have to logon to some site, i would recommend creating a new anonymous
> email to use for that purpose alone.
Cookies are a fine session management mechanism, and better than some
alternatives (e.g. putting a session identifier on the query string --
eek!). Web application developers just have to know how to use them
> really, i don't see why the webmasters do not just set cookies to be sent
> over SSL. i'm not a webmaster. but, is it really that hard? does it add
> that much more overhead than they are already experiencing from using
> HTTPS? or are they just ignorant, lazy?
In my experience, it's mainly ignorance. Developers have often never heard
of the Secure attribute, or if they have, they don't know what it means.