[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: a changing network security landscape is difficult for even the biggest tech companies to wrestle with

On 9/13/07, scar <scar@xxxxxxxxxx> wrote:
> ...
> so, if we are using a website that uses HTTPS, but, in firefox, for
> example, in the cookies list under that website it shows "Send
> for: any type of connection", then the session is vulnerable?

vulnerable against a MITM that can request / inject an HTTP page,
frame, or item to the site.  this would expose the auth cookie and
allow hijacking of the account.

for solely passive monitoring, as long as everything is HTTPS it will
be protected. (for example, gmail via https)

> i see it is possible to manually set this secure attribute on the cookie using an add-on like add n edit cookies[1], i think.  editing the cookie allows me to change "any type of connection" to "encrypted connections only".

yes.  then if a MITM tries to request a non encrypted resource of any
type, the cookie will not be sent with that request, protected the
authenticated session.

> however, even after manually changing this attribute, the website i tested this with reset some of the cookies back to "any type of connection".  the cookies it reset back to this insecure state seemed to be the more private ones, named "Session" and "User", the ones one would *want* to be encrypted.

if they do this, you're back to square one.  a dirty hack i've been
using is to configure adblock to block all http:// requests to a site
that i access via https.  if an attacker tries to inject a link to a
resource that is not SSL protected it gets blocked.

> additionally, even if the website did not reset the secure attribute, who is to say the website will acknowledge my change of the secure attribute and use an encrypted connection?

most sites are like this, and simply don't support encryption for the
full duration of a session (limiting encryption to only log in for

> further, the site i tested this with did not set the cookies until after i sent a user/password over https (logged in), so the initial cookies i received were sent over an unencrypted connection.  even if it was possible to force the cookies to use an encrypted connection afterwards, the attack could have already happened, no?

yup.  these sites are irrevocably broken.

> seems to me we should stop using private, https websites which do not send cookies via encrypted connections, right?


best regards,