[HTTPS-E Rulesets] Remove securecookie in VolkswagenBank rule
Seth David Schoen
schoen at eff.org
Tue Feb 21 14:28:30 PST 2012
Felix Geyer writes:
> Logging in to Volkswagen Bank doesn't work anymore
> when securecookie is forced.
>
> Please import the attached patch.
That is a bad sign because it means that the bank's users could be
vulnerable to an attack. Does anyone have a way to contact them about
this?
See
https://www.eff.org/https-everywhere/deploying-https
or
https://en.wikipedia.org/wiki/HTTP_cookie#Network_eavesdropping (the
attacker can make a _different_ page generate a non-HTTPS link to the
bank's site to cause the cookie to be sent over the request for the
non-HTTPS resource)
I'll apply your patch in the meantime, though.
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-Everywhere-Rules
mailing list