[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: a changing network security landscape is difficult for even the biggest tech companies to wrestle with

coderman @ 2007/09/10 18:16:
> 0. Web sites may transmit authentication tokens unencrypted
>    http://www.kb.cert.org/vuls/id/466433
>    ... still no progress, with the companies in question dragging their feet...
> 1. World's biggest websites no match for decade-old web bug
>  http://www.theregister.co.uk/2007/09/08/security_group_warns_of_web_vulnerabity/
> """
> US CERT warned that Google, eBay, MySpace, Yahoo, and Microsoft were
> vulnerable, but that list is nowhere near exhaustive. Just about any
> banking website, online social network or other electronic forum that
> transmits certain types of security cookies is also susceptible.

so, if we are using a website that uses HTTPS, but, in firefox, for example, in the cookies list under that website it shows "Send for: any type of connection", then the session is vulnerable?  or, we should at least assume that?  if that is correct, is there perhaps a way to force these cookies to be sent over the encrypted connection?  in that cert.org article it says:

	Accessing the web site using encrypted HTTPS may
	mitigate this vulnerability. Note that the entire
	session, not just the initial username and password,
	will need to be encrypted. For this workaround to
	be completely effective, the secure attribute must
	be set on the cookie.

i see it is possible to manually set this secure attribute on the cookie using an add-on like add n edit cookies[1], i think.  editing the cookie allows me to change "any type of connection" to "encrypted connections only".

however, even after manually changing this attribute, the website i tested this with reset some of the cookies back to "any type of connection".  the cookies it reset back to this insecure state seemed to be the more private ones, named "Session" and "User", the ones one would *want* to be encrypted.

additionally, even if the website did not reset the secure attribute, who is to say the website will acknowledge my change of the secure attribute and use an encrypted connection?

further, the site i tested this with did not set the cookies until after i sent a user/password over https (logged in), so the initial cookies i received were sent over an unencrypted connection.  even if it was possible to force the cookies to use an encrypted connection afterwards, the attack could have already happened, no?

seems to me we should stop using private, https websites which do not send cookies via encrypted connections, right?

1. https://addons.mozilla.org/en-US/firefox/addon/573

Attachment: signature.asc
Description: OpenPGP digital signature