nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Re: Surf Jacking - hijacking HTTPS sessions Interesting. Thanks for posting.
While examining cookies recently, I notice that there is a flag "https only", but it is FALSE on all of my cookies, including those from banking sites. I think banks need to reconsider whether to set this flag.
My own practice is pretty safe. I use firefox. But I use a separate profile for banking and similar functions. Typically, for banking, I'll open a browser for my banking profile, do the transaction, then close that browser. I normally have another browser running for non-critical tasks (such as visiting dslreports.com). With firefox it is possible to have two browser instances at the same time, but using different profiles. If I needed to do an extra lookup during the banking, I would not do that with my banking profile browser.
I use the separate browser profile mainly because of my concern about cookies perhaps being stolen with a new cross site scripting bug. While I was not aware of the possibility of the "side jacking", it is just the kind of possibility that I wanted to protect against.
On the other hand, the exploit as described in your linked article sounds a bit improbable. A lot of things have to come together at the same time in order to get the trick to work. My guess is that cybercriminals can find easier ways than this, so I'm doubtful that it will be used much except for proof of concept tests.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
·
·
Surf Jacking - hijacking HTTPS sessions
