Surf Jacking - hijacking HTTPS sessions

Author	All Replies
EGeezer Summertime - Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage 1 edit	Surf Jacking - hijacking HTTPS sessions Surf Jacking is an interesting concept that's well explained in a Tech Republic blog article. At the least, the concept provides some reason for increased awareness of the risks of using untrusted networks and browsing HTTP (non-SSL) while a HTTPS (SSL)session is still open. said by article : ... almost a year ago Robert Graham introduced “Side Jacking” at Black Hat 2007. It was such an interesting concept that (the article author) covered it in the article, “Can your wireless network be sidejacked?” Side jacking is a clever way of stealing HTTP session cookies, allowing the attacker to actually hijack a HTTP session without knowing any log on credentials. That was a year ago and now there are proof-of-concept attack tools to do the same thing with SSL connections. ... Article here. -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
	to forum · permalink · · 2008-08-21 01:52:56 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	Interesting. Thanks for posting. While examining cookies recently, I notice that there is a flag "https only", but it is FALSE on all of my cookies, including those from banking sites. I think banks need to reconsider whether to set this flag. My own practice is pretty safe. I use firefox. But I use a separate profile for banking and similar functions. Typically, for banking, I'll open a browser for my banking profile, do the transaction, then close that browser. I normally have another browser running for non-critical tasks (such as visiting dslreports.com). With firefox it is possible to have two browser instances at the same time, but using different profiles. If I needed to do an extra lookup during the banking, I would not do that with my banking profile browser. I use the separate browser profile mainly because of my concern about cookies perhaps being stolen with a new cross site scripting bug. While I was not aware of the possibility of the "side jacking", it is just the kind of possibility that I wanted to protect against. On the other hand, the exploit as described in your linked article sounds a bit improbable. A lot of things have to come together at the same time in order to get the trick to work. My guess is that cybercriminals can find easier ways than this, so I'm doubtful that it will be used much except for proof of concept tests. -- AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1
	to forum · permalink · · 2008-08-21 02:11:52 ·


Monday, 09-Nov 19:38:50	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF