[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How do we defeat exit node sniffing?

Hash: SHA256

defcon @ 2008/06/06 02:20:
> for http connections im worried about cookie sidejacking as well since
> some sites only authenticate via https and set a cookie, what can we do
> in this regard?

there's nothing to do in this case either. you have to be prepared for
your session to be hijacked.  at least, in this case, your password
cannot be changed since most sites require re-authenticating to change
the password (and that will be done via https).  always be sure to use
the "log out"/etc. link when done, to update the cookie accordingly.
again, personally, this hasn't happened to me (that i'm aware of).

from what i've casually seen in vidalia, if you are able to switch to
https, cookies are probably also exchanged via https even if they are
set to use "any type of connection" (as opposed to "encrypted
connections only").  i can hypothesize this because i no longer see
connections to port 80 after switching to https.  if the cookies were
being exchanged in the clear there would still be connections to port
80, right?  it seems wondering about this is mostly moot, though, since
the only way to be sure your information is secure is to use https all
the time with cookies set to use "encrypted connections only".  even
then you are placing trust in a CA, which is a third party also subject
to attack. oh my!