Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Surf Jacking - hijacking HTTPS sessions
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Security Software Updates - 20 Aug 2008 »
« Microsoft Security Bulletin(s) for August 12 2008  
AuthorAll Replies


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest

reply to EGeezer
Re: Surf Jacking - hijacking HTTPS sessions

Interesting. Thanks for posting.

While examining cookies recently, I notice that there is a flag "https only", but it is FALSE on all of my cookies, including those from banking sites. I think banks need to reconsider whether to set this flag.

My own practice is pretty safe. I use firefox. But I use a separate profile for banking and similar functions. Typically, for banking, I'll open a browser for my banking profile, do the transaction, then close that browser. I normally have another browser running for non-critical tasks (such as visiting dslreports.com). With firefox it is possible to have two browser instances at the same time, but using different profiles. If I needed to do an extra lookup during the banking, I would not do that with my banking profile browser.

I use the separate browser profile mainly because of my concern about cookies perhaps being stolen with a new cross site scripting bug. While I was not aware of the possibility of the "side jacking", it is just the kind of possibility that I wanted to protect against.

On the other hand, the exploit as described in your linked article sounds a bit improbable. A lot of things have to come together at the same time in order to get the trick to work. My guess is that cybercriminals can find easier ways than this, so I'm doubtful that it will be used much except for proof of concept tests.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1
to forum · permalink · · 2008-08-21 02:11:52 · Reply to this
-
Forums » Up and Running » Security » SecuritySecurity Software Updates - 20 Aug 2008 »
« Microsoft Security Bulletin(s) for August 12 2008  

Wednesday, 02-Dec 21:01:30 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [161] Comcast Releasing Promised Usage Meter
· [93] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [79] Latest Consumer Reports Survey Not Kind To AT&T
· [70] Baltimore To Ban Lazy Cable Installs
· [62] Broadband Killed The Game Console
· [54] Rogers Unveils The ISP Dream Model
· [46] ACTA: Global Three Strikes
· [41] Rural Carriers Quickly Embracing Fiber
· [38] Charter Exits Chapter 11
· [38] AT&T, Verizon Drop 3G Ad Dispute
Most people now reading
· False positive in Avast! or is it real? [Security]
· MS admits Windows Updates principally created to annoy [Security]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· Microsoft actively urges IE 6 users to upgrade [Security]
· Furnace starts, then shuts off. [Home Repair & Improvement]
· Ooma changing features [VOIP Tech Chat]
· UBB round 2 at the CRTC [Canadian Broadband]
· [FS] Acer Netbook + Candles + Hard Drives + More! [For Sale/Wanted]
· Maximizing Rogue DPS for ToC/ToGC (3.x) [World of Warcraft]