Modern Browsers Are Undefended Against Cookie-based MITM Attacks Over HTTPS

An anonymous reader writes: An advisory from CERT warns that all web-browsers, including the latest versions of Chrome, Firefox, Safari and Opera, have 'implementation weaknesses' which facilitate attacks on secure (HTTPS) sites via the use of cookies, and that implementing HSTS will not secure the vulnerability until browsers stop accepting cookies from sub-domains of the target domain. This attack is possible because although cookies can be specified as being HTTPS-specific, there is no mechanism to determine where they were set in the first place. Without this chain of custody, attackers can 'invent' cookies during man-in-the-middle (MITM) attacks in order to gain access to confidential session data.

Re:How does injecting a cookie expose data?

I believe what the article was saying is that after you have received a cookie, the browser can't tell if it was received via a secure connection or not. Therefore, if you visit another website (specifically one that sets a cookie with the same name), the browser doesn't know which cookie to return upon request from the unencrypted site. More of a guess on my part is that the browser can be made to return both / all cookies with that name, then the site owner can establish a connection to your secure site as you if the stolen cookie is your authenticated session ID for that (secure) site.

Quick solution (assuming the above is correct): Connect to your bank / site with incognito/private sessions and don't browse other things until you finish your transaction and close the session (which would purge the cookies).