[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Defeat Exit Node Sniffing?
From: Chris Palmer <chris@xxxxxxxxxxxxxxxx>
Date: Wed, 5 Mar 2008 16:05:40 -0800
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 05 Mar 2008 19:05:46 -0500
In-reply-to: <47CF3120.7030302@xxxxxxxxxx>
References: <a45400c30803021230x47297f81t1901918c4910e48c@xxxxxxxxxxxxxx> <20080302211557.GL10785@xxxxxxxxxxxxxxxx> <47CB3B40.3050408@xxxxxxxxxx> <a45400c30803021802w2d47598ds19f4ac3dc0664b91@xxxxxxxxxxxxxx> <47CF3120.7030302@xxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.3i

scar writes:

> i also learned, that by using a cookie editor, you cannot force a cookie
> to be sent over an encrypted connection.

Which cookie editor(s) did you try? I use Add 'n' Edit Cookies, a Firefox
plugin. It offers a radio button to turn the Secure attribute on or off, but
I have not tested it to see if turning Secure on really works as it should.
If you tested it and it didn't work, that would seem like a bug in Add 'n'
Edit Cookies that the maintainer would want to know about.

It seems like it should be relatively easy to make a Firefox plugin that
always rewrites the Set-Cookie headers of incoming HTTP responses to have
the Secure attribute, so that Firefox thinks the server set them that way. I
have never written a Firefox plugin, though, so maybe it's hard. Dunno.

> ultimately, i would recommend turning off cookies all together.  if you
> have to logon to some site, i would recommend creating a new anonymous
> email to use for that purpose alone.

Cookies are a fine session management mechanism, and better than some
alternatives (e.g. putting a session identifier on the query string --
eek!). Web application developers just have to know how to use them
correctly.

> really, i don't see why the webmasters do not just set cookies to be sent
> over SSL.  i'm not a webmaster.  but, is it really that hard?  does it add
> that much more overhead than they are already experiencing from using
> HTTPS?  or are they just ignorant, lazy?

In my experience, it's mainly ignorance. Developers have often never heard
of the Secure attribute, or if they have, they don't know what it means.

Follow-Ups:
- Re: Defeat Exit Node Sniffing?
  - From: scar

References:
- Defeat Exit Node Sniffing?
  - From: defcon
- Re: Defeat Exit Node Sniffing?
  - From: Chris Palmer
- Re: Defeat Exit Node Sniffing?
  - From: scar
- Re: Defeat Exit Node Sniffing?
  - From: defcon
- Re: Defeat Exit Node Sniffing?
  - From: scar

Prev by Author: Re: Defeat Exit Node Sniffing?
Next by Author: Re: Defeat Exit Node Sniffing?
Previous by thread: Re: Defeat Exit Node Sniffing?
Next by thread: Re: Defeat Exit Node Sniffing?
Index(es):
- Author
- Thread