Cookie Monster

Matt Curtin cmcurtin at interhack.com
Sat Sep 20 12:36:00 EDT 2008


On Wed, Sep 17, 2008 at 6:39 PM, EMC IMAP <leichter_jerrold at emc.com> wrote:

> It turns out hardly anyone bothers to mark their cookies secure.  In
> Firefox, if you list your cookies, you can sort on the Secure field.  I only
> found a couple of cookies marked - mainly from American Express, one of the
> few sites that gets this right.  (Bank of America, for example, doesn't;
> Gmail with the new HTTPS-only setting does, but other Google services
> don't.)

This isn't a new problem.  I might be inclined to argue that it used
to be worse in terms of vulnerability (though today it's worse in the
asset exposed through vulnerability, e.g., a stolen session can be a
bigger problem today than it was).  We found the same problem with the
BankOne Online site eight years ago.  The part that we found
significant about that was that the UserID field then was a working
customer payment card number.
http://www.interhack.net/pubs/bankone-online/

Back-end systems for dealing with authentication of sessions and so on
tend to be more sophisticated these days, which also helps.  While
this is probably happening very little if at all in systems like
Web-based email, at least in higher-value Web applications there is
better detection of fraud.  In particular, I am seeing more systems
that are paying attention to source IP addresses in combination with
other factors like cookies to determine whether the request is
legitimate.

-- 
Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard
Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list