Re: Let's talk about HTTPS Everywhere
On Thu, 20 Jan 2011 03:36:03 -0600, Dave Sherohman wrote:
> On Wed, Jan 19, 2011 at 02:47:11PM +0000, Camaleón wrote:
>> On Wed, 19 Jan 2011 07:17:58 -0600, Dave Sherohman wrote:
>> > When dealing with sites which use session cookies, "public
>> > navigation" *is* "sensitive data", as every request sent will include
>> > the cookie(s) which identify you and an attacker who gains access to
>> > that data would be able to use those cookies to impersonate you for
>> > the lifetime of that session, as demonstrated by the recent uproar
>> > over FireSheep.
>>
>> Data stored in cookies is not what I understand for "sensitive". What
>> kind of information do you think are cookies managing?
>
> As I said earlier, websites which use persistent sessions store the
> session id in a cookie. While this cookie does not contain any data
> which is meaningful outside of the context of your persistent session,
> it is somewhat sensitive in that an attacker would be able to
> impersonate you by cloning your session cookie. This would then allow
> them to create or access content on the site which issued the cookie as
> if they were you, potentially gaining access to more conventionally
> sensitive information or fraudulently posting from your accout, for the
> remaining lifetime of the session.
>
> Some sites do associate the originating IP address with the session data
> to help protect against session hijacking, but this is not overly
> widespread and, even when it is employed, it has issues with proxies
> (which can cause multiple users to appear on a single address) or
> reverse proxies (which can cause a single user to appear on multiple
> addresses), so https really is the only surefire way to prevent it.
(as I just have mentioned to Celejar, these problems do exist but they're
not "exclusively" solved with https encryption)
Greetings,
--
Camaleón
Reply to: