[HTTPS-Everywhere] Flagging cookies as secure
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Nov 11 08:02:10 PST 2010
On 11/11/2010 04:40 AM, https-everywhere at lists.grepular.com wrote:
> On 11/11/2010 00:41, Peter Eckersley wrote:
>
>> For sites with complete HTTPS support, this is a moot point because there are no HTTP requests.
>
> I'm not sure I agree with that statement. If you log into a fully https
> website which doesn't have the secure flag set on the cookie, and then
> go to a different http website which is subsequently MITM'd by somebody
> who injects this simple bit of html:
>
> <img src="http://the.site.which.is.supposedly.always.https/">
>
> Then they'll cause your browser to send the cookie over HTTP. Even for
> sites which appear to be fully https, I still think it's a good idea to
> add the secure flag to their cookies.
i think peter was suggesting that if the user is running
https-everywhere and the rule for the domain has no exceptions then even
such an img inclusion scenario will cause the browser to connect back
over HTTPS, foiling the attack. That's why the extension exists ;)
> Also, if the ruleset looks like this:
>
> <ruleset name="example">
> <rule from="^http://(www\.)?example\.com/" to="https://www.example.com/"/>
> </ruleset>
>
> And the website is suddenly changed to have content on
> "http://static.example.com/" and the cookies domain value is
> ".example.com", then all of a sudden it will start leaking the cookie.
right, this is an example of an exception in the rule (it doesn't cover
the entire domain), which is why this flag is needed.
> I also think it would be nice if we could add HttpOnly flags to cookies
> from the https-everywhere rulesets in a similar manner to the secure
> flag. Not sure if this would be considered out of scope though?
httponly is the "do not use this cookie in javascript" flag, right?
that might cause breakage on some sites that actually do cookie
manipulation in javascript. What would be nice is a combination of the
two flags somehow -- to allow the site to manipulate the cookie in
javascript as long as the js origin is over https. I don't know that
such a thing exists, though.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101111/42d5f52e/attachment.sig>
More information about the HTTPS-everywhere
mailing list