[LINK] Cookies, fear, uncertainty & doubt.

David Boxall david.boxall at hunterlink.net.au
Fri Sep 5 16:33:07 AEST 2008 

<http://www.itnews.com.au/Feature/4911,fighting-fire-with-fire.aspx>
...
> At underground hacker convention DEFCON last month, Perry revealed 
> vulnerabilities in cookies used by sites such as Gmail, Facebook and 
> LinkedIn.
...
> There are actually two vulnerabilities here. The first is that many 
> sites do not secure their content via https past the initial login 
> page. This allows an attacker to steal their users' cookies and 
> impersonate them on the local network whenever they use the site.
>
> A tool to do this (Robert Graham's 'Hampster') has been circulating 
> for a year, but there has been no response from the major sites.
>
> The second vulnerability is that many sites that do use https past the 
> login page but do not mark their cookies as 'secure'. This is what 
> allows an attacker to induce their browser to transmit these cookies 
> over unsecured, regular http connections so they can observe them and 
> impersonate the user.
...
> There are two issues I am trying to tackle here. One is to launch a 
> more direct assault against the trend towards 'security theater' -- 
> providing the show of security to people while not actually protecting 
> them at all.
...
> The risks are quite large for affected sites, and very frequently run 
> all the way up to complete identity theft and access to financial data.
...
> In general the web is a pretty nasty place. A lot of this stems from 
> the way the web was designed: as an open, stateless, and mostly 
> unauthenticated medium where sites can load content from other sites, 
> refer their users to other sites, and have them execute almost 
> arbitrary actions automatically.
>
> This requires each site to have to do a lot of custom, independent 
> legwork to secure things from this originally open state, and a lot of 
> them end up getting bits and pieces wrong. Sometimes even fundamental 
> pieces that are fully supported in major browsers, such as the cookie 
> issue we see here.
...
> I actually came to privacy, security, and censorship resistance 
> through my independent study of reverse engineering in University.
>
> Right around the turn of the century, all of these ideas came under 
> attack in my country [USA] via rather draconian laws such as the 
> PATRIOT Act and the DMCA. Because of the vague nature of these laws 
> and the climate of surveillance and fear, it was necessary to be very 
> careful about what I studied and how
...
> Privacy policies are often a joke and riddled with exceptions, 
> loopholes, rapidly changing terms, and I believe not even regarded as 
> binding contracts by the courts.
>
> I don't think society has had time to evaluate the consequences of all 
> of this data being accumulated by these organisations. From the fact 
> that it can be stolen or leaked; used in lawsuits, divorce cases, or 
> custody battles, or the fact that it will rapidly become a political 
> weapon used to manipulate our public officials, the consequences of 
> all this data being gathered (and often sold), even if it is held 
> under the strictest of safeguards, is very dangerous.
...


-- 
David Boxall                    |  Any given program,
                                |  when running correctly,
                                |  is obsolete.
                                |       --Arthur C. Clarke

More information about the Link mailing list