[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

Hash: SHA256

defcon @ 2008/03/02 19:02:
| What is a good way to enforce a good cookie policy
| for firefox?

this was discussed a bit not too long ago.[1]  check that thread for
some useful links as well.

i learned that cookies have a security attribute which dictates if a
cookie is sent over an encrypted connection or not.  most sites which
require you to logon do not set this security attribute.  so, while you
may be sending your username/password over SSL, the cookie which
contains your "session id",etc. may be transferred in the clear.  so,
instead of an attacker gaining your username/password, they can gain
access to your session and do whatever you would be allowed to do whilst
logged in.  slightly less dangerous.  most sites require you to
reauthenticate before changing your password, so that is probably one
thing the attacker cannot do.

i'm not sure of a way to find out if a site will transfer its cookies
over an encrypted connection, without actually logging in and then
taking a look at the cookies you've received.  you can look at your
cookies in firefox and there is a line "Send for:" which will tell you
the type of connection used.  (maybe you need to install add-on
CookieSafe to see this detailed information).

i also learned, that by using a cookie editor, you cannot force a cookie
to be sent over an encrypted connection.

ultimately, i would recommend turning off cookies all together.  if you
have to logon to some site, i would recommend creating a new anonymous
email to use for that purpose alone.

really, i don't see why the webmasters do not just set cookies to be
sent over SSL.  i'm not a webmaster.  but, is it really that hard?  does
it add that much more overhead than they are already experiencing from
using HTTPS?  or are they just ignorant, lazy?

comments welcome. thanks.

1. http://archives.seul.org/or/talk/Sep-2007/threads.html#00100