Defeat Exit Node Sniffing?

[Chris Palmer]

scar writes:

> i also learned, that by using a cookie editor, you cannot force a cookie
> to be sent over an encrypted connection.

Which cookie editor(s) did you try? I use Add 'n' Edit Cookies, a Firefox
plugin. It offers a radio button to turn the Secure attribute on or off, but
I have not tested it to see if turning Secure on really works as it should.
If you tested it and it didn't work, that would seem like a bug in Add 'n'
Edit Cookies that the maintainer would want to know about.

It seems like it should be relatively easy to make a Firefox plugin that
always rewrites the Set-Cookie headers of incoming HTTP responses to have
the Secure attribute, so that Firefox thinks the server set them that way. I
have never written a Firefox plugin, though, so maybe it's hard. Dunno.

> ultimately, i would recommend turning off cookies all together.  if you
> have to logon to some site, i would recommend creating a new anonymous
> email to use for that purpose alone.

Cookies are a fine session management mechanism, and better than some
alternatives (e.g. putting a session identifier on the query string --
eek!). Web application developers just have to know how to use them
correctly.

> really, i don't see why the webmasters do not just set cookies to be sent
> over SSL.  i'm not a webmaster.  but, is it really that hard?  does it add
> that much more overhead than they are already experiencing from using
> HTTPS?  or are they just ignorant, lazy?

In my experience, it's mainly ignorance. Developers have often never heard
of the Secure attribute, or if they have, they don't know what it means.