Re: Let's talk about HTTPS Everywhere

To: debian-user@lists.debian.org
Subject: Re: Let's talk about HTTPS Everywhere
From: Camaleón <noelamac@gmail.com>
Date: Thu, 20 Jan 2011 15:26:31 +0000 (UTC)
Message-id: <[🔎] pan.2011.01.20.15.26.29@gmail.com>
References: <20110119145359.543EE13A6437@liszt.debian.org> <[🔎] 201101191053.50768.Howland@priss.com> <[🔎] pan.2011.01.19.16.46.10@gmail.com> <[🔎] 4D371A58.9060804@googlemail.com> <[🔎] pan.2011.01.19.17.50.57@gmail.com> <[🔎] 20110119160930.225f5f8b.celejar@gmail.com>

On Wed, 19 Jan 2011 16:09:30 -0500, Celejar wrote:

> On Wed, 19 Jan 2011 17:50:58 +0000 (UTC) Camaleón wrote:
> 
>> On Wed, 19 Jan 2011 18:07:36 +0100, tv.debian@googlemail.com wrote:
> 
> ...
> 
>> > It is not only the data enclosed inside the cookie which are at risk
>> > here, but the entire session on the website you are logged in. Say
>> > you log into your "friendface" account, and someone near your catch
>> > your unencrypted session cookie, then he is YOU on YOUR "friendface"
>> > account...
>> 
>> That sounds like bad programming or a buggy site. There are methods to
>> prevent such attacks on the server side that involves no encrypted
>> sessions, but sometimes it is easier (and cheaper) for companies to
>> rely on completely encrypted sessions and not implement another
>> countermeasures.
> 
> I'm curious - how can one completely guard against a MITM attack without
> using encryption?

We were talking about "session hijacking" which is a bit different from 
"man in the middle" attacks. In fact, this kind of threat ("man in the 
middle") cannot even be totally prevented with just "https" (the Sans 
Institute published a good article on the matter¹ -as well as another 
interesting papers that can be found here²) so when it comes to security, 
relying in only "one point" of failure should be avoided at all.

In regards to "http cookie hijacking" the first and foremost a programmer 
would ask himself is "do we really need to *constantly* generate a write/
read operations of the cookies for *all* the tasks?". On these days, no 
one of us can browse the web and join to online services with a 
completely cookie disabled browser and that's a bit excessive, IMO.

If the data, that now is being exchanged between the server and user's 
computer by means of cookies, is to be stored in the server itself in a 
database, most of theses attacks could be prevented.

In addition, enforcing a good policy, like user login session 
regeneration or logouts, also help but these options are not always 
neither implemented nor enforced and most of the new "cloud" services 
rely on full-session encryption to simplify things.

¹http://www.sans.org/reading_room/whitepapers/threats/ssl-man-in-the-middle-attacks_480
²http://www.sans.org/reading_room/whitepapers/threats/

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: Let's talk about HTTPS Everywhere
  - From: Celejar <celejar@gmail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Dave Sherohman <dave@sherohman.org>

References:
- Re: Let's talk about HTTPS Everywhere
  - From: Curt Howland <Howland@priss.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Camaleón <noelamac@gmail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Camaleón <noelamac@gmail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: Hard disk high avalibity
Next by Date: Re: Let's talk about HTTPS Everywhere
Previous by thread: Re: Let's talk about HTTPS Everywhere
Next by thread: Re: Let's talk about HTTPS Everywhere
Index(es):
- Date
- Thread