[HTTPS-Everywhere] Flagging cookies as secure
https-everywhere at lists.grepular.com
https-everywhere at lists.grepular.com
Thu Nov 11 01:40:11 PST 2010
On 11/11/2010 00:41, Peter Eckersley wrote:
> For sites with complete HTTPS support, this is a moot point because there are no HTTP requests.
I'm not sure I agree with that statement. If you log into a fully https
website which doesn't have the secure flag set on the cookie, and then
go to a different http website which is subsequently MITM'd by somebody
who injects this simple bit of html:
<img src="http://the.site.which.is.supposedly.always.https/">
Then they'll cause your browser to send the cookie over HTTP. Even for
sites which appear to be fully https, I still think it's a good idea to
add the secure flag to their cookies.
Also, if the ruleset looks like this:
<ruleset name="example">
<rule from="^http://(www\.)?example\.com/" to="https://www.example.com/"/>
</ruleset>
And the website is suddenly changed to have content on
"http://static.example.com/" and the cookies domain value is
".example.com", then all of a sudden it will start leaking the cookie.
I also think it would be nice if we could add HttpOnly flags to cookies
from the https-everywhere rulesets in a similar manner to the secure
flag. Not sure if this would be considered out of scope though?
--
Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101111/ae3a0289/attachment.sig>
More information about the HTTPS-everywhere
mailing list