Re: Let's talk about HTTPS Everywhere
On Wed, 19 Jan 2011 10:53:50 -0500, Curt Howland wrote:
> On Wednesday 19 January 2011, Camaleón was heard to
> say:
>> Data stored in cookies is not what I understand for "sensitive". What
>> kind of information do you think are cookies managing?
>
> Maybe this would be enlightening:
>
> http://codebutler.com/firesheep
>
> FTA:
> "It's extremely common for websites to protect your password by
> encrypting the initial login, but surprisingly uncommon for websites to
> encrypt everything else. This leaves the cookie (and the user)
> vulnerable. HTTP session hijacking (sometimes called "sidejacking") is
> when an attacker gets a hold of a user's cookie, allowing them to do
> anything the user can do on a particular website. On an open wireless
> network, cookies are basically shouted through the air, making these
> attacks extremely easy."
Maybe I have not expressed myself properly.
Any data passing through an unencrypted channel is vulnerable to be
fetched and reviewed by anyone and we all know that.
My point here is that I don't mind about _that kind of data_ to be
disclosed because is public and easily gathered by other means (anyone
reading my e-mail headers can see my IP address and/or e-mail client) and
tracking cookies (session cookies) do not contain sensible information
(by "sensible information" I mean passwords or username logins for
gaining access to online services, like banking, shopping or such).
In brief:
- Does the cookie contain sensitive/private information? → set/get the
cookie using ssl
- Does the cookie contain standard/publicly available information → no
need to be encrypted
What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using
clear text passwords.
Greetings,
--
Camaleón
Reply to: