HTTPS (Secure Web pages) get their cookies hijacked
User:
Admin
Date: 9/11/2008 6:43 am
Views: 740
Rating: 1 Rate [ | ]
Date: 9/11/2008 6:43 am
Views: 740
Rating: 1 Rate [ | ]
mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem.
"I figure the Slashdot readership is the best place to reach a large number of
slacking admins and developers, so I want to announce that it's been 30 days
since my DEFCON presentation on HTTPS
cookie hijacking, and as such, it's now time to release the tool to a much
wider group. Despite what was initially
reported, neither the attack nor the tool
are gmail-specific, and many
other websites are vulnerable. So, if you maintain any sort of reasonable
looking website secured by
any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.)
"I'd also like to encourage security professionals and consultants to request a
copy of the tool for use in encouraging their clients to adopt
SSL properly for their websites. There's no possible way for me to reach
every site, but if convincing demonstrations can be given of the vulnerability
on an individual basis, perhaps that will drive the issue home much more than
the press alone has done. Heck, the tool might even land you a few new
clients."