[LINK] Cookies, fear, uncertainty & doubt.
David Boxall
david.boxall at hunterlink.net.au
Fri Sep 5 16:33:07 AEST 2008
<http://www.itnews.com.au/Feature/4911,fighting-fire-with-fire.aspx>
...
> At underground hacker convention DEFCON last month, Perry revealed
> vulnerabilities in cookies used by sites such as Gmail, Facebook and
> LinkedIn.
...
> There are actually two vulnerabilities here. The first is that many
> sites do not secure their content via https past the initial login
> page. This allows an attacker to steal their users' cookies and
> impersonate them on the local network whenever they use the site.
>
> A tool to do this (Robert Graham's 'Hampster') has been circulating
> for a year, but there has been no response from the major sites.
>
> The second vulnerability is that many sites that do use https past the
> login page but do not mark their cookies as 'secure'. This is what
> allows an attacker to induce their browser to transmit these cookies
> over unsecured, regular http connections so they can observe them and
> impersonate the user.
...
> There are two issues I am trying to tackle here. One is to launch a
> more direct assault against the trend towards 'security theater' --
> providing the show of security to people while not actually protecting
> them at all.
...
> The risks are quite large for affected sites, and very frequently run
> all the way up to complete identity theft and access to financial data.
...
> In general the web is a pretty nasty place. A lot of this stems from
> the way the web was designed: as an open, stateless, and mostly
> unauthenticated medium where sites can load content from other sites,
> refer their users to other sites, and have them execute almost
> arbitrary actions automatically.
>
> This requires each site to have to do a lot of custom, independent
> legwork to secure things from this originally open state, and a lot of
> them end up getting bits and pieces wrong. Sometimes even fundamental
> pieces that are fully supported in major browsers, such as the cookie
> issue we see here.
...
> I actually came to privacy, security, and censorship resistance
> through my independent study of reverse engineering in University.
>
> Right around the turn of the century, all of these ideas came under
> attack in my country [USA] via rather draconian laws such as the
> PATRIOT Act and the DMCA. Because of the vague nature of these laws
> and the climate of surveillance and fear, it was necessary to be very
> careful about what I studied and how
...
> Privacy policies are often a joke and riddled with exceptions,
> loopholes, rapidly changing terms, and I believe not even regarded as
> binding contracts by the courts.
>
> I don't think society has had time to evaluate the consequences of all
> of this data being accumulated by these organisations. From the fact
> that it can be stolen or leaked; used in lawsuits, divorce cases, or
> custody battles, or the fact that it will rapidly become a political
> weapon used to manipulate our public officials, the consequences of
> all this data being gathered (and often sold), even if it is held
> under the strictest of safeguards, is very dangerous.
...
--
David Boxall | Any given program,
| when running correctly,
| is obsolete.
| --Arthur C. Clarke
More information about the Link
mailing list