-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 defcon @ 2008/03/02 19:02: | What is a good way to enforce a good cookie policy | for firefox?
this was discussed a bit not too long ago.[1] check that thread for some useful links as well. i learned that cookies have a security attribute which dictates if a cookie is sent over an encrypted connection or not. most sites which require you to logon do not set this security attribute. so, while you may be sending your username/password over SSL, the cookie which contains your "session id",etc. may be transferred in the clear. so, instead of an attacker gaining your username/password, they can gain access to your session and do whatever you would be allowed to do whilst logged in. slightly less dangerous. most sites require you to reauthenticate before changing your password, so that is probably one thing the attacker cannot do. i'm not sure of a way to find out if a site will transfer its cookies over an encrypted connection, without actually logging in and then taking a look at the cookies you've received. you can look at your cookies in firefox and there is a line "Send for:" which will tell you the type of connection used. (maybe you need to install add-on CookieSafe to see this detailed information). i also learned, that by using a cookie editor, you cannot force a cookie to be sent over an encrypted connection. ultimately, i would recommend turning off cookies all together. if you have to logon to some site, i would recommend creating a new anonymous email to use for that purpose alone. really, i don't see why the webmasters do not just set cookies to be sent over SSL. i'm not a webmaster. but, is it really that hard? does it add that much more overhead than they are already experiencing from using HTTPS? or are they just ignorant, lazy? comments welcome. thanks. 1. http://archives.seul.org/or/talk/Sep-2007/threads.html#00100 -----BEGIN PGP SIGNATURE----- iD8DBQFHzzEgXhfCJNu98qARCMOdAJ9X+DJ/p5D9fwOToz2+DAAgjsJ2iwCfSkvx CFYWm315wdIOqeCANbkrOgs= =4oAz -----END PGP SIGNATURE-----
