a changing network security landscape is difficult for even the biggest tech companies to wrestle with
Vlad "SATtva" Miller
sattva at pgpru.com
Sun Sep 16 00:28:06 UTC 2007
coderman wrote on 14.09.2007 06:39:
> On 9/13/07, scar <scar at drigon.com> wrote:
>> ...
>> so, if we are using a website that uses HTTPS, but, in firefox, for
>> example, in the cookies list under that website it shows "Send
>> for: any type of connection", then the session is vulnerable?
>
> vulnerable against a MITM that can request / inject an HTTP page,
> frame, or item to the site. this would expose the auth cookie and
> allow hijacking of the account.
>
> for solely passive monitoring, as long as everything is HTTPS it will
> be protected. <snip>
Unfortunately, the problem is bigger than that. Suppose a website that
stores user_login+hashed_password an as authentication token in a cookie
not marked as "secure (SSL only) cookie". If, even accidentally, our
user browses to that site by means of an open HTTP, his browser will
transfer this stored cookie in a standard GET request and make it
susceptible to passive sniffering. Now the attacker can trivially pass
the same cookie data to the website and hijack user's account.
--
SATtva | security consulting
www.vladmiller.info | www.pgpru.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070916/197d3f26/attachment.pgp>
More information about the tor-talk
mailing list