[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Defeat Exit Node Sniffing?
From: scar <scar@xxxxxxxxxx>
Date: Wed, 05 Mar 2008 16:47:44 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 05 Mar 2008 18:45:08 -0500
In-reply-to: <a45400c30803021802w2d47598ds19f4ac3dc0664b91@xxxxxxxxxxxxxx>
References: <a45400c30803021230x47297f81t1901918c4910e48c@xxxxxxxxxxxxxx> <20080302211557.GL10785@xxxxxxxxxxxxxxxx> <47CB3B40.3050408@xxxxxxxxxx> <a45400c30803021802w2d47598ds19f4ac3dc0664b91@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

defcon @ 2008/03/02 19:02:
| What is a good way to enforce a good cookie policy
| for firefox?


this was discussed a bit not too long ago.[1]  check that thread for
some useful links as well.

i learned that cookies have a security attribute which dictates if a
cookie is sent over an encrypted connection or not.  most sites which
require you to logon do not set this security attribute.  so, while you
may be sending your username/password over SSL, the cookie which
contains your "session id",etc. may be transferred in the clear.  so,
instead of an attacker gaining your username/password, they can gain
access to your session and do whatever you would be allowed to do whilst
logged in.  slightly less dangerous.  most sites require you to
reauthenticate before changing your password, so that is probably one
thing the attacker cannot do.

i'm not sure of a way to find out if a site will transfer its cookies
over an encrypted connection, without actually logging in and then
taking a look at the cookies you've received.  you can look at your
cookies in firefox and there is a line "Send for:" which will tell you
the type of connection used.  (maybe you need to install add-on
CookieSafe to see this detailed information).

i also learned, that by using a cookie editor, you cannot force a cookie
to be sent over an encrypted connection.

ultimately, i would recommend turning off cookies all together.  if you
have to logon to some site, i would recommend creating a new anonymous
email to use for that purpose alone.

really, i don't see why the webmasters do not just set cookies to be
sent over SSL.  i'm not a webmaster.  but, is it really that hard?  does
it add that much more overhead than they are already experiencing from
using HTTPS?  or are they just ignorant, lazy?

comments welcome. thanks.


1. http://archives.seul.org/or/talk/Sep-2007/threads.html#00100
-----BEGIN PGP SIGNATURE-----

iD8DBQFHzzEgXhfCJNu98qARCMOdAJ9X+DJ/p5D9fwOToz2+DAAgjsJ2iwCfSkvx
CFYWm315wdIOqeCANbkrOgs=
=4oAz
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Defeat Exit Node Sniffing?
  - From: Chris Palmer

References:
- Defeat Exit Node Sniffing?
  - From: defcon
- Re: Defeat Exit Node Sniffing?
  - From: Chris Palmer
- Re: Defeat Exit Node Sniffing?
  - From: scar
- Re: Defeat Exit Node Sniffing?
  - From: defcon

Prev by Author: Re: Defeat Exit Node Sniffing?
Next by Author: Re: Defeat Exit Node Sniffing?
Previous by thread: Re: Defeat Exit Node Sniffing?
Next by thread: Re: Defeat Exit Node Sniffing?
Index(es):
- Author
- Thread