HTTPS Cookie Hijacking Not Just For Gmail

← Back to Stories (view on slashdot.org)

HTTPS Cookie Hijacking Not Just For Gmail

Posted by timothy on Tuesday September 9, 2008 @04:24AM from the cookie-monster-demands-satisfaction dept.

mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem. "I figure the Slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.) "I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."

128 comments

Min score:

Reason:

Sort:

new security vulnerability by Anonymous Coward · 2008-09-09 04:28 · Score: 2, Funny

Posting an e-mail address on /.
1. Re:new security vulnerability by Anonymous Coward · 2008-09-09 05:15 · Score: 2, Interesting
  
  i'm thinking cm is "contact me", so contact me via the fscked organisation
2. Re:new security vulnerability by street+struttin' · 2008-09-09 06:00 · Score: 1
  
  How do we know he isn't phishing for email addresses right in the summary?
3. Re:new security vulnerability by Anonymous Coward · 2008-09-09 06:29 · Score: 1
  
  Are you that ignorant that you can't figure out his email.
  via = @
  thefsckedorganization = fscked.org
  He is using mikeperry-cm@ because he's called his tool Cookie Monster.
  I swear, some people need an IQ test before they should be allowed to post!!
4. Re:new security vulnerability by Anonymous Coward · 2008-09-09 06:46 · Score: 0
  
  So why doesn't he just put mikeperry-cm@fscked.org or mikeperry@fscked.org right in the post?
5. Re:new security vulnerability by Anonymous Coward · 2008-09-09 07:09 · Score: 1, Informative
  
  Because then every worm that looks for username@domain.cc would find it. Congrats on defeating the purpose by posting it, though.
6. Re:new security vulnerability by Anonymous Coward · 2008-09-09 07:16 · Score: 1, Insightful
  
  This is what throw-away email addresses are for... just create one for this specific thing, post it, reply to people, then delete the email after 3 days. What's so hard about that? Or if he's going to obfuscate it, at least make it so actual humans can figure it out without guessing.
7. Re:new security vulnerability by gad_zuki! · 2008-09-09 07:36 · Score: 4, Funny
  
  cmvia is command modulated voice interface application. In other words you roll down your window and yell 'MIKE PERRY I NEED THAT FILE.' Eventually a carrier pigeon delivers it to you.
8. Re:new security vulnerability by Anonymous Coward · 2008-09-09 08:02 · Score: 0
  
  mikeperry-cm@fscked.org didn't get returned? mikeperry-cm@fscked.org? right?
  mikeperry-cm@fscked.org?
  or was it mikeperry@fscked.org? without the cm, you know? mikeperry@fscked.org?
  Do spiders actually crawl through the comment pages? Looking for addresses like mikeperry-cm@fscked.org and mikeperry@fscked.org? Or just the main page?
9. Re:new security vulnerability by Heembo · 2008-09-09 10:51 · Score: 2, Funny
  
  He was just trying to use basic Darwinism to filter out idiots. But some defender of white moths told them to fly away and take cover cause da smoke was a comin! Dam u!
  
  --
  Horns are really just a broken halo.
10. Re:new security vulnerability by grcumb · 2008-09-09 11:11 · Score: 1
  
  i'm thinking cm is "contact me", so contact me via the fscked organisation
  Er, cm == 'Cookie Monster', I think.
  He's likely using a hyphenated address which allows for filtering using scripted mail tools.
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
11. Re:new security vulnerability by Minozake · 2008-09-10 12:35 · Score: 1
  
  We don't. If you don't want to take the risk, you don't have to do anything.
  
  --
  http://sourcemage.org/ - Have fun :)
yeah... by n3tcat · 2008-09-09 04:30 · Score: 1

...see this is why the military has an entirely physically separate internet for the Really Important Shit(tm).
1. Re:yeah... by $RANDOMLUSER · 2008-09-09 04:51 · Score: 2, Funny
  
  Yep. The Very Best(tm) security is an air gap.
  But it kinda limits your possibilities.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
2. Re:yeah... by n3tcat · 2008-09-09 04:54 · Score: 5, Informative
  
  In what way? We run a lot of stuff over our SIPR and I haven't really noticed any "limits" to what we've done. Hell, I even watch CNN over SIPR sometimes.
3. Re:yeah... by Anonymous Coward · 2008-09-09 05:01 · Score: 0
  
  Are you sure you are on the SIPR?
4. Re:yeah... by PJ+The+Womble · 2008-09-09 05:06 · Score: 2, Interesting
  
  I think Franklin ahref=http://sln.fi.edu/franklin/scientst/electric.htmlrel=url2html-25902http://sln.fi.edu/franklin/scientst/electric.html> might have disagreed vehemently with you. Air breaks down as a dielectric, given a high enough voltage across it. And, of course, electromagnetic radiation of all kinds goes right on through air as if it wasn't there. And don't get me started on sound ;-)
5. Re:yeah... by $RANDOMLUSER · 2008-09-09 05:09 · Score: 1
  
  No, I said an air gap (i.e. no network connection) is the best security, but it limits your possibilities.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
6. Re:yeah... by n3tcat · 2008-09-09 05:12 · Score: 1
  
  Ah, yeah "air gapping" is what we call transferring data from one side to the other. Now I understand what you were saying though.
7. Re:yeah... by Anonymous Coward · 2008-09-09 05:17 · Score: 0
  
  Actually, it's not quite entirely physically separate. Trust me on this.
8. Re:yeah... by Hyppy · 2008-09-09 05:20 · Score: 2, Informative
  
  Many (most?) classified government systems require TEMPEST hardening, to specifically protect against your second point. Many government buildings which contain classified materials also require a similar hardening.
9. Re:yeah... by lems1 · 2008-09-09 05:20 · Score: 1
  
  I like that when you click on the Privacy notice on the DoD Network Information Site (http://www.nic.mil/), you get a 404 page:
  http://www.disa.mil/info/secpriv.html
  Ah, the irony of it... I guess there is not a single privacy statement that would protect anybody from just clicking through publicly available pages?
  
  --
  This sig can be distributed under the LGPL license
10. Re:yeah... by Hyppy · 2008-09-09 05:24 · Score: 2, Insightful
  
  He is. Rebroadcasting a satellite feed is simple.
11. Re:yeah... by jsalbre · 2008-09-09 05:42 · Score: 1
  
  My private Internet is better than your private Internet.
  
  --
  Jeremy http://alucinari.net
12. Re:yeah... by Anonymous Coward · 2008-09-09 05:58 · Score: 0
  
  Let me guess, the other channels are weather channel, FoxNews, and some lame training station.
13. Re:yeah... by Frosty+Piss · 2008-09-09 06:05 · Score: 2, Insightful
  
  CNN, FoxNews, and a few other broadcast channels are re-broadcast on SIPR because that's where Intel gets their Intel.
  
  Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
  
  --
  If you want news from today, you have to come back tomorrow.
14. Re:yeah... by LiENUS · 2008-09-09 06:09 · Score: 3, Funny
  
  Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
  I tried this, now i'm in gitmo.
15. Re:yeah... by Obfuscant · 2008-09-09 06:30 · Score: 1
  
  Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
  Yep, it's a good idea to monitor the broadcasts of the opposition.
  CNN -- the news network that carries The Daily Show on it's international feed.
16. Re:yeah... by Anonymous Coward · 2008-09-09 08:45 · Score: 0
  
  dunno, wifi works pretty good over here.
17. Re:yeah... by ksd1337 · 2008-09-09 10:51 · Score: 1
  
  Cue Richard Stallman singing a song about freedom... now.
18. Re:yeah... by Anonymous Coward · 2008-09-09 11:14 · Score: 0
  
  Red/Black nomenclature. Red is classified and protected by physical means both against intrusion and sniffing (Van Eck), Black is not. Anything going black must be encrypted.
19. Re:yeah... by Uber+Banker · 2008-09-09 23:43 · Score: 1
  
  Do you refer to Sneakernet? Back in the day it was only 1.44MB bandwidth but the latency sucked. Not bandwidth it 4GB plus but latency is not much better.
20. Re:yeah... by Anonymous Coward · 2008-09-13 00:22 · Score: 0
  
  Dear,
  I am Jeffrey Chew, from one of the Prime banks here in Malaysia. I know there is
  scam all over the place,i am ready to give you all the information you need to verify my person,
  Regarding to your advert about possible investment. I wish to bring to your notice my
  interest to partnership with you in this great business opportunity. After going through the
  message bellow, kindly get back to me.
  I want to transfer to overseas account ($26,000.000.00 USD) Twenty Six million United States Dollars) from a Prime Bank here in Malaysia, I want to ask you, If you are not capable to quietly look for a reliable and honest person who will be capable and fit to provide either an existing bank account or to set up a new Bank a/c immediately to receive this money, even an empty a/c can serve to receive this money, as long as you will remain honest to me till the end for this important business trusting in you and believing in God that you will never let me down either now or in future.
  I work with the Auditing Department of one of the Prime bank here in Kuala Lumpur Malaysia, during the course of our auditing, I discovered a floating fund in an account opened in the bank in 1999 and since 2003 nobody has operated on this account again, after going through some old files in the records I discovered that the owner of the account died without a [Heir/WILL] hence the money is floating and if I do not remit this money out urgently it will be forfeited for nothing.
  The owner of this account is Morris McDonald a foreigner, a great industrialist and he died since 2001.No other person knows about this account or anything concerning it, the account has no other
  beneficiary and my investigation proved to me as well that until his death he was the director of
  PINE GOLD [pty] Malaysia.
  We will start the first transfer with Six million [$6,000.000] upon successful transaction without any disappoint from your side, we shall re-apply for the payment of the remaining rest amount to your account. The total amount involve is Twenty Six million United States Dollars only [$26,000.000.00].
  I want to first transfer $6,000.000.00 [Six million United States Dollar] from this money into a safe foreigners account abroad before the rest. But I don't know any foreigner, I am only contacting you as a foreigner because this money cannot be approved to a local person here, without valid international foreign passport, but can only be approved to any foreigner with valid international passport or drivers license and foreign a/c because the money is in US dollars and the former owner of the a/c is a foreigner too, and the money can only be approved into a foreign a/c.
  I want us to meet face to face to build confidence and to sign a binding agreement that will bind us together, immediately after the first transfer before we fly to your country for withdrawal, sharing and investments.
  I need your full co-operation to make this work fine because the management is ready to approve this payment to any foreigner who has correct information of this account, which I will give to you
  upon your positive response and once I am convinced that you are capable and will meet up with
  instruction of a key bank official who is deeply involved with me in this business. I need your
  strong assurance that you will never, never let me down. At the conclusion of this business, you
  will be given 35% of the total amount, 60% will be for me, while 5% will be for expenses both
  parties might have incurred during the process of transferring.
  I look forward to your earliest reply through my email address for more information.
  Thanks and God bless
  Yours Truly,
  Jeffrey Chew
  o-cbc@hotmail.com
Easy to find out... by nweaver · 2008-09-09 04:34 · Score: 5, Informative

If you want to manually examine a site you visit:
Clear all cookies.
Log in.
Clear all cookies marked as "SECURE" (in firefox, preferences->privacy->show cookies. Delete JUST the cookies marked as "Encrypted connections only").
Go back to the site. Can you act as if you are logged in? If so, the site is COMPLETELY insecure.

--
Test your net with Netalyzr
1. Re:Easy to find out... by sakdoctor · 2008-09-09 04:50 · Score: 1
  
  All of my cookies are for "Any type of connection" including my bank.
2. Re:Easy to find out... by pragueexpat · 2008-09-09 04:51 · Score: 5, Interesting
  
  if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.
  
  --
  "The prohibition will be strongest when the group is nervous." - Paul Graham
3. Re:Easy to find out... by blueg3 · 2008-09-09 04:58 · Score: 4, Insightful
  
  I think the explanation is quite simple. "We don't know what we're doing."
4. Re:Easy to find out... by jDeepbeep · 2008-09-09 04:59 · Score: 1
  
  Bank of America has some explaining to do.
  They would boast about their SiteKey© or some such thing. I doubt much would change without a greater segment of the customer base demanding it.
  
  --
  Reply to That ||
5. Re:Easy to find out... by brunascle · 2008-09-09 05:05 · Score: 4, Informative
  
  If you're suggesting that the site should be tying the cookie to an ip address, then I have to disagree. I've done just that, and I discovered that it's a very bad idea. Not just because some people have a different ip address from one session to the next, but because some of them have a different ip address from one page to the next. For example, there are some ISPs that send GET requests through one address, and POSTs through another.
6. Re:Easy to find out... by HungryHobo · 2008-09-09 05:12 · Score: 2, Interesting
  
  I can get you there.
  My ISP assigns me a new IP every few minutes even if I'm in the middle of a download. Makes using rapidshare impossible.
  And yes, there's always the jackass developer who thinks he's smart locking sessions to an IP which for me just means either being logged out again and again or it locking up till the link to the old IP has expired.
  Yes I know it's the ISP but they're the only game in town and I'm not going back to 56K
7. Re:Easy to find out... by morgan_greywolf · 2008-09-09 05:16 · Score: 2, Funny
  
  if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.
  Here, why don't you give me your current IP address real quick and I'll take a look it to make sure you're doing everything correctly. ;)
  
  --
  My blog
8. Re:Easy to find out... by mcrbids · 2008-09-09 06:01 · Score: 3, Interesting
  
  I did this with our own web-based product and found out that yes, indeed, we are insecure. It took a few minutes of poking around to find out how to secure our site.
  So, for everybody else: if you are using PHP, you need to pay attention to Set_Cookie_Params() . Here's the 1-liner call that we make in order to solve this problem for us, before any calls to session_register():
  Session_Set_Cookie_Params(720, '/', $_SERVER['SERVER_NAME'], true);
  Parameters:
  1) 720: Our sessions timeout after 2 hours.
  2) '/': the cookie applies to all paths within our site.
  3) $_SERVER['SERVER_NAME']: applies only to the specific domain name originally called. (we use subdomains, so this is important)
  4) true: (the most important one), this means that the cookies can only be used over SSL.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
9. Re:Easy to find out... by Atario · 2008-09-09 06:13 · Score: 1
  
  Bank of America has had some explaining to do for many years now, and I ain't talkin' 'bout no websites, neither.
  
  --
  "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
10. Re:Easy to find out... by Anonymous Coward · 2008-09-09 06:19 · Score: 0
  
  Which ISP is this? Gotta know so that I know to avoid them in future...
11. Re:Easy to find out... by certain+death · 2008-09-09 06:29 · Score: 0
  
  I think most people here and anywhere else would be quite impressed with the Bank of America security operations if they could see what goes on behind the scenes. I am a security person, and I trust them with my money...to an extent, I still think they have some custom calculators built just for their figuring of interest!
  
  --
  "My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
12. Re:Easy to find out... by ldaff · 2008-09-09 06:34 · Score: 1
  
  I could be wrong, but I don't think this is true in our circumstances. We have a site that doesn't allow any connections other that https. So, even though we do have cookies set to go through all connections - there is no way to get a non-ssl connection to the site and have the cookies go out clear over the wire. Someone please correct me if I'm wrong, because we'd have some changes to make.
13. Re:Easy to find out... by Anonymous Coward · 2008-09-09 06:41 · Score: 0
  
  My ISP assigns me a new IP every few minutes even if I'm in the middle of a download. Makes using rapidshare impossible.
  How *do* you download anything if you get a new IP every few minutes?
  Are you able to VPN into work for more than a few minutes at a time?
14. Re:Easy to find out... by Anonymous Coward · 2008-09-09 06:52 · Score: 0
  
  You need to have no open TCP ports on your machine (or any servers in your domain), now or in the future.
  If i inject a link that your browser follows to http://yourdomain:443/ or http://yourdomain:25/ (note the lack of an "s" in the protocol name) then I have your session cookie as soon as your browser issues the request for the page.
15. Re:Easy to find out... by who+what+why · 2008-09-09 07:13 · Score: 1
  
  Telkom South Africa do exactly this. I should know, I spent about three hours last week debugging a PHP application that would not accept the cookie if it came from a different IP address. I found that successive requests from one machine were appearing at the server to originate from two different IPs. No idea how/why this happens - no proxy was set in the OS or browser of the client.
  Not that you wouldn't want to avoid Telkom in the first place... but then, if we could avoid them we wouldn't be using them in the first place!
16. Re:Easy to find out... by raddan · 2008-09-09 07:23 · Score: 1
  
  Not to mention, there are some very large NATs out there. IPs are not in 1:1 correspondence with real machines.
17. Re:Easy to find out... by ldaff · 2008-09-09 07:29 · Score: 1
  
  Thanks. I was thinking of it from the side of our server - we don't send cookies to them non-ssl. But, the act of making the request would send out the cookies from their browser. So, if a logged in user clicked on a link to http://ourdomain/ they would be screwed.
18. Re:Easy to find out... by Narcocide · 2008-09-09 08:08 · Score: 1
  
  *cough* AOL *cough*
19. Re:Easy to find out... by enoz · 2008-09-09 13:22 · Score: 1
  
  You could do the same thing using a .htaccess file (assuming you are running Apache).
  php_flag session.cookie_secure on
  This way ensures that it is set before any PHP script runs, regardless of what scripts are used.
20. Re:Easy to find out... by Anonymous Coward · 2008-09-09 14:37 · Score: 0
  
  The test you just described isn't really 100% valid. It's possible in some cases for a website to set cookies without using the "secure" flag but still ensure they are always sent via an encrypted connection.
  If the cookie is set without using a domain, it will only be sent back to the fully qualified hostname of the page that set the cookie. If this fully qualified hostname is only responding on port 443 (SSL), then in effect the cookie is secure. So for example, if https://account.bank.com sets a session cookie without specifying a domain and without setting the secure flag, AND account.bank.com only accepts SSL connections and doesn't respond on port 80, then the cookie is secure, even without the secure flag.
21. Re:Easy to find out... by HungryHobo · 2008-09-09 22:01 · Score: 1
  
  BT ireland,
  I've sat and watched my IP change while I had active connections.
  I can have an SSH session open to a remote server and suddenly it stops responding and I have to open a new one. fucking annoying.
22. Re:Easy to find out... by HungryHobo · 2008-09-09 22:07 · Score: 1
  
  some download managers deal with the switch ok. Unfortunatly some servers do not.
23. Re:Easy to find out... by n1ckml007 · 2008-09-10 00:13 · Score: 1
  
  and you don't want to pay the extra $5 a month or what have you for a static IP?
24. Re:Easy to find out... by HungryHobo · 2008-09-10 00:29 · Score: 1
  
  Only available with the buisness package(or so I was told when I called them) which is much more expensive.
25. Re:Easy to find out... by Phroggy · 2008-09-10 01:06 · Score: 1
  
  No idea how/why this happens - no proxy was set in the OS or browser of the client.
  A router can be configured to transparently redirect all traffic destined for port 80 (with any destination IP) into a proxy server; it's called a "transparent proxy" because your browser doesn't know it's happening. Here's more information and how to set it up on Linux.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
26. Re:Easy to find out... by Anonymous Coward · 2008-09-10 04:21 · Score: 0
  
  It does actually matter in that the PKI infustructure exists to prevent Active-MITM attacks. Some little kiddy inside your wires can mangle any HTTP request from your computer to the same realm as the banking application you are using to obtain your cookie and then use it to impersonate yourself.
  I have two observations.
  1. Its great that these sorts of nuances are brought to the attention of the masses via slashdot et al. The more secure everyones applications are the better.
  2. This is really nothing new and hardly constitutes a novel discovery. Many others knew about this possibility for quite a while.. The very fact that RFC2109 from 1997 has a "secure" flag shows this sort of thing was already concidered early on.
  Now what I learned from this was the hide cookie from itself (browser client) indicator which I did not know existed and was added later by MS et al of all people. Its a good idea but preventing XSS in the first place is a better one :-)
27. Re:Easy to find out... by Anonymous Coward · 2008-09-11 18:43 · Score: 0
  
  That is incorrect. Even if the server does not accept any connections at all, an attacker can get the cookie. It is a MITM attack, so the attacker can simply provide the server himself.
You are in grave danger.. by Anonymous Coward · 2008-09-09 04:40 · Score: 0

...so give me your emailaddress.
Comment removed by account_deleted · 2008-09-09 04:46 · Score: 4, Informative

Comment removed based on user account deletion
WTF?!? by Anonymous Coward · 2008-09-09 04:48 · Score: 5, Insightful

If you are going to release a tool, just fucking do it. Give is a link and be done with it.
1. Re:WTF?!? by Anonymous Coward · 2008-09-09 05:00 · Score: 0
  
  Guaranteed that this will be posted to a torrent site, Usenet, or RapidShit by the end of the day.
2. Re:WTF?!? by blueg3 · 2008-09-09 05:03 · Score: 1
  
  So ask someone who went to DEFCON for a copy.
3. Re:WTF?!? by Anonymous Coward · 2008-09-09 05:34 · Score: 0
  
  This tool should be posted publicly so that this "threat" can also be studied by people who don't know anyone who went to defcon or who don't want to waste their friends valuable time on what is probably an exagerated threat (I've always assumed my cookies were transferrable).
4. Re:WTF?!? by kernelphr34k · 2008-09-09 05:41 · Score: 1
  
  I was at defcon, and Mike did not have the tool ready to be released... So yea. Email him, he's a nice guy.
5. Re:WTF?!? by Anonymous Coward · 2008-09-09 13:08 · Score: 0
  
  If you are going to release a tool, just fucking do it.
  Why don't you bend over and I'll release my tool.
  Thank you! I'm here all week. Don't forget to tip the waitresses!
please tag itsatrap by sveard · 2008-09-09 04:54 · Score: 4, Interesting

Why don't YOU just e-mail the guy and be done with it?!
Perhaps it's... A TRAP!
1. Re:please tag itsatrap by Joe+U · 2008-09-09 04:59 · Score: 3, Funny
  
  Please install this tool on all servers and workstations as admin for maximum benifit.
Comment removed by account_deleted · 2008-09-09 04:56 · Score: 2, Interesting

Comment removed based on user account deletion
Djagno and Secure Cookies by randomc0de · 2008-09-09 05:09 · Score: 5, Informative

I run a few Django SSL-secured websites, and I noticed the default is to send insecure cookies for the session id (i.e. hijack-able cookies). I'm going to try to get on someone's case to make this information more widely available, because you have to turn on secure cookies with a "SESSION_COOKIE_SECURE = True" statement, which I never knew until I checked today. Doing this should secure any Django-powered site from this particular attack.

--
Three rights make a left. Freedom of speech, freedom of the press, freedom of assembly.
1. Re:Djagno and Secure Cookies by Anonymous Coward · 2008-09-09 05:37 · Score: 0
  
  Why, just why, would the default for 'secure cookies' ever be set to false?!
  I just don't understand...
2. Re:Djagno and Secure Cookies by corbettw · 2008-09-09 06:08 · Score: 1
  
  Because most sites don't use SSL to begin with. That said, they should at least include the line in the settings.py file, with a comment to set it to True if you use SSL.
  
  --
  God invented whiskey so the Irish would not rule the world.
3. Re:Djagno and Secure Cookies by Anonymous Coward · 2008-09-09 14:45 · Score: 0
  
  Even better, there should be a default setting that will cause Django to automatically set the secure attribute for the cookie if the current connection is using SSL. This way you won't have to worry about changing the config file based on whether your site is using SSL or not.
4. Re:Djagno and Secure Cookies by pavera · 2008-09-09 16:11 · Score: 1
  
  So... I suppose I've been mis-using SSL all along, but, I secure the login with ssl, after that, the information inside my sites isn't particularly sensitive in any way, I just protect the username/password on the wire for all those people that have 1 username and 1 password for everything...
  I assume to protect against this vuln every page behind the login has to be 100% SSL secured so that you can keep sending the sessionid cookie? If so, that means I get to buy twice as many servers for my 2 little web apps (that already have 5 servers dedicated to them) to support all that SSL traffic? It's not like I'm making much money off these things, maybe 3-400 in ads a month. Am I understanding correctly?
5. Re:Djagno and Secure Cookies by randomc0de · 2008-09-09 19:04 · Score: 1
  
  I assume to protect against this vuln every page behind the login has to be 100% SSL secured so that you can keep sending the sessionid cookie? If so, that means I get to buy twice as many servers for my 2 little web apps (that already have 5 servers dedicated to them) to support all that SSL traffic?
  I doubt it. Try turning on secure cookies and only having an SSL-enabled login page. Your webserver should be able to accept the secure cookies over SSL and insecure data over HTTP.
  
  5 servers for 2 apps is a lot. Have you tried a more distributed scheme with 2 servers for the HTML, 2 for the database, and a dedicated SSL proxy? It's a bit of a pain to set up, but you may get better performance with a dedicated SSL machine than the "Renaissance server" tactic.
  
  --
  Three rights make a left. Freedom of speech, freedom of the press, freedom of assembly.
6. Re:Djagno and Secure Cookies by pavera · 2008-09-10 04:08 · Score: 1
  
  I have 3 web and 2 db... I guess I could pull one of those web and dedicate it to ssl...
  Anyway, I'll give it a go and see what happens.
Comment removed by account_deleted · 2008-09-09 05:16 · Score: 1

Comment removed based on user account deletion
fscked by mebrahim · 2008-09-09 05:16 · Score: 1

fscked.org got fscked by getting slashdotted

--
Persian Project Management Software as a Service
Comment removed by account_deleted · 2008-09-09 05:23 · Score: 2, Interesting

Comment removed based on user account deletion
Re:Pay attention by Anonymous Coward · 2008-09-09 05:26 · Score: 0

You need to check *all* their domains. For me nothing at bankofamerica.com is secure, but onlineeast1.bankofamerica.com has at least two secure cookies and they go away when you log out.
Secure by permissioning or secure by encryption? by Junior+J.+Junior+III · 2008-09-09 05:28 · Score: 1

Ways to fix this:
File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
File Encryption: Using a public key encryption method, the content of cookie file is encrypted using the web site's private encryption key, and can only be decrypted by the web server.
Perhaps a combination of both approaches would yield the most secure cookie system.

--
You see? You see? Your stupid minds! Stupid! Stupid!
How do you secure a site? by JoeCommodore · 2008-09-09 05:28 · Score: 3, Interesting

There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.

--
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
1. Re:How do you secure a site? by jimicus · 2008-09-09 07:09 · Score: 3, Informative
  
  There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.
  Executive summary:
  It is possible to set a single bit in a cookie sent to the browser which means "Only send this cookie over secured connections".
  Many websites (including some important ones like online banking) don't set this bit for the cookie(s) used for session tracking. Hence, it is possible for an attacker to get the cookie with an invisible proxy that injects HTML which forces the browser to fetch something from the server which set up the cookie.
  eg. I set up an invisible proxy on my wireless network which injects into every page and logs the cookie your browser sends when it attempts to connect to mail.google.com for the image.
  I can now plug this cookie into Firefox and read your email.
  Solution: if your website sets any cookies over an HTTPS connection, such cookies must set the bit meaning "Only send over secure connections". How one goes about doing this will depend on whether you're generating cookies yourself or using an existing framework.
Webmail is broken by LeafOnTheWind · 2008-09-09 05:59 · Score: 1

Let's make this simple. Don't use webmail. Don't use Yahoo.com, Gmail.com, Hotmail.com, squirrelmail, etc. There are SO many vulnerable access points between the web application and your email that it is almost impossible to secure the entire stack.
The use of Ajax alone (like most major webmail vendors) increases your vulnerability by huge amounts. SOP (same origin policy) is broken. A combination of a reflected XSS attack (which are everywhere http://blogs.zdnet.com/Google/?p=451 ) and a stored XSS attack can completely compromise your session.
Forgetting about XSS, there's still CSRF, injections, RFI, information leakage, broken authentication/session management, insecure url access, etc.
So seriously - unless you trust that your email server has secured every possible hole in every possible layer of their stack, stick to TLS/SSL encrypted imap/pop3/smtp. Now, I'm not saying these are perfect, but email protocols are just simpler. There will always be fewer places to attack and thus the chances of your email being compromised are just smaller.
1. Re:Webmail is broken by ccguy · 2008-09-09 07:07 · Score: 1
  
  Don't use webmail
  
  So seriously - unless you trust that your email server has secured every possible hole in every possible layer of their stack, stick to TLS/SSL encrypted imap/pop3/smtp. Now, I'm not saying these are perfect, but email protocols are just simpler.
  
  Your solution only works if
  
  webmail+storage at google
  
  is more secure than
  
  smtp/pop over tls + storage at a typical user's HD which I'm pretty sure is a bad assumption.
2. Re:Webmail is broken by LeafOnTheWind · 2008-09-09 07:39 · Score: 1
  
  Oh - I'm not speaking to the typical user. The typical user probably has a keylogger or trojan that makes this all void. I'm speaking to those who are security literate and want to choose both the simplest and most secure solution.
  Personally, I use GPG and have an encrypted hard drive and I feel far more comfortable using IMAP over TLS after compromising Gmail with an XSS exploit.
3. Re:Webmail is broken by Anonymous Coward · 2008-09-09 10:28 · Score: 0
  
  I bet the chicks all love how secure you are. "No baby, I wont let you use gmail because the con-fibulator on the iPop isn't secure. Let me format your laptop and put on linux instead. What's that bitch? YOu cannot use linux? Screw sex, I'm breaking up with you instead."
Re:Secure by permissioning or secure by encryption by corbettw · 2008-09-09 06:10 · Score: 2, Informative

File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
Requires giving the browser root access to the system (though you can mitigate this by running a jail or sandbox).

File Encryption: Using a public key encryption method, the content of cookie file is encrypted using the web site's private encryption key, and can only be decrypted by the web server.
I thought that's what SSL cookies do in the first place?

--
God invented whiskey so the Irish would not rule the world.
Re:Secure by permissioning or secure by encryption by Junior+J.+Junior+III · 2008-09-09 06:16 · Score: 1

File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
Requires giving the browser root access to the system (though you can mitigate this by running a jail or sandbox).
Good point, kindof why I suggested re-implementing permissioning at a higher level of abstraction than the filesystem.

I thought that's what SSL cookies do in the first place?
Right, but I'm saying they should do encrypted cookies across the board, whether the site is SSL or not.

--
You see? You see? Your stupid minds! Stupid! Stupid!
Google Cache by g0bshiTe · 2008-09-09 06:20 · Score: 1

Google Cache

All I want for Christmas is a website that /. can't bring to it's knees.

--
I am Bennett Haselton! I am Bennett Haselton!
1. Re:Google Cache by Anonymous Coward · 2008-09-09 09:38 · Score: 0
  
  Now where is the C64 webserver article when you need it?
Yodlee MoneyCenter by mdonley · 2008-09-09 06:22 · Score: 1

Yodlee MoneyCenter passes the test, and appears secure. However, my own personal online banking institution did not fare so well. Argh!

--
God look at me, I'm just a man, but you tell me I'm not just a man, so hard to understand, after all, I'm just a man.
Comment removed by account_deleted · 2008-09-09 06:28 · Score: 1

Comment removed based on user account deletion
Are any sites NOT vulnerable? by neurovish · 2008-09-09 07:06 · Score: 1

Using the method outlined in the post, I can't find any sites that I have cookies for that aren't vulnerable.
1. Re:Are any sites NOT vulnerable? by LordSnooty · 2008-09-09 08:00 · Score: 1
  
  I don't even seem to have any cookies that are set 'encrypted connection only', a major banking site has all cookies sent for any type of connection.
  
  If I understand the problem correctly, it seems a simple workaround is to delete all cookies related to a vulnerable site as soon as you've finished, that would soon stop my browser sending them to nefarious sorts with invisible proxies.
What it fixes: by Anonymous Coward · 2008-09-09 07:07 · Score: 0

The problem is that a browser will usually send all cookies, even those which are set by a HTTPS site, over an unencrypted connection to the same server as well. That is, unless the HTTPS site instructs the browser to use the cookie only with the HTTPS site and not the HTTP site on the same server.
If you're logged in to an HTTPS site over a public wireless hotspot, then an attacker can hijack some other non-encrypted connection and modify the content to load further content from the same domain as the HTTPS site, but using the unencrypted HTTP protocol. Then your cookie from the secure connection will be sent in the clear and the attacker can log in as you. The way to fix this is to change the web server side such that it flags all cookies set over HTTPS as HTTPS-only cookies.
Someone Skipped Their OPSEC Rebrief by Anonymous Coward · 2008-09-09 07:20 · Score: 0

Way to go with the OPSEC low profile. Why don't you post your circuit's IP and URL while you're at it, big guy? My ISSM can get with yours, we have big party then.
1. Re:Someone Skipped Their OPSEC Rebrief by n3tcat · 2008-09-09 08:25 · Score: 1
  
  Yeah I'm the first person to ever say "I'm in the military and we have this thing called SIPR and here's a public link to the wiki."
  And I'm probably also the first say "We can convert sat feeds to digital signal. DONT TELL THE COMMIES!"
2. Re:Someone Skipped Their OPSEC Rebrief by Anonymous Coward · 2008-09-09 10:29 · Score: 0
  
  Yeah I'm the first person to ever say "I'm in the military and we have this thing called SIPR and here's a public link to the wiki." And I'm probably also the first say "We can convert sat feeds to digital signal. DONT TELL THE COMMIES!"
  If you paid ANY attention to your briefings, you'd already know that you don't want to be the first, last, or any of those people. Dumbass. Take your lumps like a man, so that you won't look like such a fool if your security officer decides to invest the half hour it'll take to connect the dots.
Firefox should complain by speedtux · 2008-09-09 07:20 · Score: 1

Firefox should complain loudly when such cookies are being sent:
"Server error: server has sent cookies unsafely. You can add an exception, by clicking below, but until the web site operator fixes the site, you should consider your session not secure."
And even moreso... by nweaver · 2008-09-09 07:46 · Score: 1

CookieMonster is an active tool.
It will take any OTHER connection the user makes on a wireless link, redirect THAT to point to http://yoursite.com/ answer that request with a SYN, and now the browser spits out the cookie.

--
Test your net with Netalyzr
Security measures not used by russotto · 2008-09-09 07:59 · Score: 1

You know, that "encrypted sessions only" bit wasn't put in there just for fun. It's bad enough we have any number of things broken by design, we could at least use the security which actually _was_ designed into the system.
Slacking? by Anonymous Coward · 2008-09-09 08:21 · Score: 0

Nobody who uses Ubuntu is a slacker. Nobody.
"air gapping" by joedoc · 2008-09-09 08:31 · Score: 1

Well, I don't know where you're located on the SIPR, but here in that big, oddly-shaped building near the river alongside the city with the big pointy tower and the big white-domed place, we call that "a major pain in my ass."

--
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
How ya gonna hijack me, turkey? by harrie_o · 2008-09-09 08:42 · Score: 0

I have teens, so I'm virtualized with a twenty second revert to baseline wiping everything and bringing us to a fresh Firefox 3.01 (for me) or IE7 (wife) every time.

The embedded units besides TiVo are on NetBeui only for the TV and another for iTunes library (that one read-only) with a frequently wiped netbeui file server for the TV content. How ya gonna route that spy data over Netbeui?

Anyone keeping a real machine for surfing should realize its just a bathroom rug accumulating gunk that anyone who sat in front of the screen ever visited (even by accident).

The host under the virtual doesn't even have network connectivity.

The only real machine left in the house is my gamer and sheer theory of potential botnets are why INSIDE THE HOUSE I make damn sure the gamer IN THE LIVING ROOM is HIBERNATED before doing anything.
The issue described by rabtech · 2008-09-09 08:45 · Score: 4, Informative

1. Look at DNS requests or do a IP-domain reverse lookup to know what websites the target is visiting over HTTPS. Automated tool can do this over time.
2. On next regular HTTP request by your target, be a man-in-the-middle and inject an image pointing to desired HTTPS site, except don't use HTTPS - just HTTP.
3. Browser will dutifully send the cookie along with the image request over plain HTTP (after all, the domain names match), even though the cookie was created and managed only via HTTPS by the original website.
4. Now your automated sniffer just picked up the supposedly "secure" cookie for the HTTPS site, even though you never even attempted to hack the HTTPS conversation. If the site stores your username/password, a session id, etc this could expose sensitive information.
5. Protect your applications by setting the encrypted session only flag on the cookie so the browser won't send it with plain HTTP requests. If you have HTTP and HTTPS areas of the site, keep separate cookies for both areas and make sure sensitive info is only stored in the HTTPS-only cookie.

--
Natural != (nontoxic || beneficial)
1. Re:The issue described by Onymous+Coward · 2008-09-09 09:33 · Score: 1
  
  Thanks for your clarification.
  This is basically what I gathered from reading the author's description, but it was so poorly written that it left me wondering.
2. Re:The issue described by Furry+Ice · 2008-09-09 12:57 · Score: 1
  
  While this is disconcerting, it's not like step 2 (being a man in the middle) is easy for an attacker. If they can play that game, you have many things to worry about, which I think is a pretty simple explanation for why people aren't totally panicking over this.
3. Re:The issue described by Alsee · 2008-09-10 00:58 · Score: 1
  
  Good explanation, but I find it's better to just skip the cookies entirely and stick to cupcakes.
  -
  
  --
  - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Thanks for the panic attack by Rupert · 2008-09-09 09:01 · Score: 1

So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts)
OK, when did it become funny to put the contents of my cookie in TFA?
Oh, and I am not responsible for the CSS on the sites I develop for my employer. Don't blame me for the dark blue text on a medium blue background.

--

--
E_NOSIG
Just release it in the conventional way already... by sethstorm · 2008-09-09 09:09 · Score: 1

(For those who might be tempted to say Defcon, it was not ready).
It's out there, enough with the needless delays and just get a mirror/link out there.

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Re:Secure by permissioning or secure by encryption by Onymous+Coward · 2008-09-09 10:10 · Score: 1

Wait wait... what?
Encrypt the cookie data with the site's private key? ... So that holders of the site's public key can decrypt the contents of the cookie? Which would be everyone?
But maybe you meant encrypt the cookie data with the site's public key, so that only the site can decrypt it. That would make more sense. But, still, that doesn't work.
See, you'll be sending something over HTTP to the site in question. Let's say it's a secret message that only the site can decrypt, per your proposal. That does not prevent anyone else from sending the same secret message. I don't have to be able to decrypt the secret cookie to snoop, copy, then send the secret cookie.
One's next inclination may be to find a way to make sure that others can't send the same secret cookie. Perhaps some kind of authentication. I think things start to get a little complex this way. Why not just have the site serve the cookie with "Secure;" in the string?
Client-side Mitigation by Giorgio+Maone · 2008-09-09 10:27 · Score: 1

A countermeasure against this attack scenario has just been added to latest NoScript development version:

v 1.8.0.5
Experimental "Force Secure Cookies" feature, mitigates HTTPS cookie hijacking attacks (http://tinyurl.com/cookiehijack).
Enabled by default, it can be disabled either globally, by toggling the noscript.secureCookies about:config preference, or for specific domains only, by listing them (space or comma separated) in the noscript.secureCookiesException about:config preference

Whenever a cookie is set over a secured HTTPS connection, NoScript forcibly flags it as "Secure" even if the server didn't. Therefore the browser won't leak it anymore over insecure connections.
Obviously this feature works always as long as it's turned on, independently from JavaScript/Java/Flash/Plugins permissions.

--
There's a browser safer than Firefox, it is Firefox, with NoScript
SIPRMAN! by newr00tic · 2008-09-09 11:40 · Score: 0

Mod parent up !
GP is going to Gitmo, fo' shitmo, my slash-dit'mo 's.

--
A horse can't be sick, you know, even if he wants to.
Hi I'm a proffesional lock-picker by chord.wav · 2008-09-09 12:34 · Score: 1

If you are leaving your home for a few days and have trouble locking your home, let me know the address and I'll send you a lock!
Probably used in one old scam already by Anonymous Coward · 2008-09-09 17:52 · Score: 0

I've always suspected this is how those F(r)eeCreditInfo companies kept getting new card numbers after cancelling their "service". (Which consists of being charged $20/mo for nothing and have it billed to various random sounding things that strangely start with the same routing number.) They glean your cookies with their banner ads to find transactions with other companies. Their Flash based banners even show up at many trustworthy sites. (Websites don't seem to care what's in the script if they get enough $$ for the ad.) Other than having to deal with the bank for the 3rd time, clearing the cookies and blocking all domains and IPs of such "service" and related "companies" - the problem finally stopped.
Anyhow, in hindsight it's better to pay a modest one-time fee to your bank or credit card company (usually around $10) to find your rating, than to get it up the ass for a "free" report (with a very very small print or hidden service agreement that rapes you in the long run.)
Asp.net workaround by FilthCatcher · 2008-09-09 18:10 · Score: 1

Alarmmingly, asp.net session and authentication cookies do not have the secure bit set even when the site is set to https-only. The server still accepts http requests to display a "site can only be viewed over https" This C# code added to global.asax will secure all cookies on a .net site. I've left cookies unsecure when browsing localhost so Visual Studio debugging and "view in browser" will still work. protected void Application_EndRequest(Object sender, EventArgs e) { // set all cookies to secure if (Request.Url.Host != "localhost" && Response.Cookies.Count > 0) { foreach (string s in Response.Cookies.AllKeys) { Response.Cookies[s].Secure = true; } } }