Re: Cookie Monster

2008-09-20 Thread Matt Curtin
On Wed, Sep 17, 2008 at 6:39 PM, EMC IMAP [EMAIL PROTECTED] wrote: It turns out hardly anyone bothers to mark their cookies secure. In Firefox, if you list your cookies, you can sort on the Secure field. I only found a couple of cookies marked - mainly from American Express, one of the few

Re: Cookie Monster

2008-09-19 Thread James A. Donald
EMC IMAP wrote: Yet another web attack: http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/ My own conclusion from this: This is yet another indication that the whole browser authentication model is irretrievably broken. It's just way too complex, with way too many moving parts

Re: Cookie Monster

2008-09-19 Thread Leichter, Jerry
On Fri, 19 Sep 2008, Barney Wolff wrote: | Date: Fri, 19 Sep 2008 01:54:42 -0400 | From: Barney Wolff [EMAIL PROTECTED] | To: EMC IMAP [EMAIL PROTECTED] | Cc: Cryptography cryptography@metzdowd.com | Subject: Re: Cookie Monster | | On Wed, Sep 17, 2008 at 06:39:54PM -0400, EMC IMAP wrote: | Yet

Cookie Monster

2008-09-18 Thread EMC IMAP
time, and people apparently think the two attacks are the same; but they aren't, and mechanisms to prevent sidejacking generally don't block Cookie Monster.) As I understand the attack, it's this: Cookies can be marked Secure. A Secure cookie can only be returned over an HTTPS session