lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 11 Aug 2008 16:37:24 -0700
From: coderman <coderman@...il.com>
To: "Sandro Gauci" <sandro@...blesecurity.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Surf Jack - HTTPS will not save you

On Mon, Aug 11, 2008 at 4:03 AM, Sandro Gauci <sandro@...blesecurity.com> wrote:
> Say hello to a new security tool called "Surf Jack" which demonstrates
> a security flaw found in various public sites. The proof of concept
> tool allows testers to steal session cookies on HTTP and HTTPS sites
> that do not set the Cookie secure flag.

note: Gmail now supports an account option to enforce the secure only
bit on session cookies and keeps your entire gmail session on SSL.
this makes attacks like this and Mike Perry's active side jacking
impossible, as the session cookie is no longer sent in the clear when
http:// non-SSL links are injected into browser content.

to enable this feature:
- at top of page select "Settings"
- scroll to bottom of section for "Browser connection:" preference
- select "Always use https"

this will pass the Secure / secureonly option when settings the GX=...
session cookie used to identify your authenticated session.  this
cookie will then never be sent over plain-text connections, protecting
you from passive / active side jacking attacks.

be sure to use a somewhat modern browser that supports secure only
cookies.  you can also verify correct operation with the "Live HTTP
Headers" plugin for Firefox.

hopefully ongoing attention and improved tools demonstrating the need
for continuous SSL / secureonly session management will be adopted by
all web developers and sites.  (i'm not holding my breath...)

best regards,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ