On Wed, Sep 17, 2008 at 6:39 PM, EMC IMAP <[EMAIL PROTECTED]> wrote: > It turns out hardly anyone bothers to mark their cookies secure. In > Firefox, if you list your cookies, you can sort on the Secure field. I only > found a couple of cookies marked - mainly from American Express, one of the > few sites that gets this right. (Bank of America, for example, doesn't; > Gmail with the new HTTPS-only setting does, but other Google services > don't.)
This isn't a new problem. I might be inclined to argue that it used to be worse in terms of vulnerability (though today it's worse in the asset exposed through vulnerability, e.g., a stolen session can be a bigger problem today than it was). We found the same problem with the BankOne Online site eight years ago. The part that we found significant about that was that the UserID field then was a working customer payment card number. http://www.interhack.net/pubs/bankone-online/ Back-end systems for dealing with authentication of sessions and so on tend to be more sophisticated these days, which also helps. While this is probably happening very little if at all in systems like Web-based email, at least in higher-value Web applications there is better detection of fraud. In particular, I am seeing more systems that are paying attention to source IP addresses in combination with other factors like cookies to determine whether the request is legitimate. -- Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]