Re: Let's talk about HTTPS Everywhere

[Camaleón <noelamac@gmail.com>]

On Wed, 19 Jan 2011 18:07:36 +0100, tv.debian@googlemail.com wrote:

> On the 19/01/2011 17:46, Camaleón wrote:

(...)

>> In brief:
>> 
>> - Does the cookie contain sensitive/private information? → set/get the
>> cookie using ssl
>> 
>> - Does the cookie contain standard/publicly available information → no
>> need to be encrypted
>> 
>> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins
>> using clear text passwords.
>> 
>> 
>> 
> It is not only the data enclosed inside the cookie which are at risk
> here, but the entire session on the website you are logged in. Say you
> log into your "friendface" account, and someone near your catch your
> unencrypted session cookie, then he is YOU on YOUR "friendface"
> account...

That sounds like bad programming or a buggy site. There are methods to 
prevent such attacks on the server side that involves no encrypted 
sessions, but sometimes it is easier (and cheaper) for companies to rely 
on completely encrypted sessions and not implement another 
countermeasures.

Greetings,

-- 
Camaleón