[HTTPS-Everywhere] Flagging cookies as secure
Peter Eckersley
pde at eff.org
Fri Nov 12 13:04:02 PST 2010
On Thu, Nov 11, 2010 at 04:19:39PM +0000, https-everywhere at lists.grepular.com wrote:
> On 11/11/2010 16:02, Daniel Kahn Gillmor wrote:
>
> >> <img src="http://the.site.which.is.supposedly.always.https/">
> >>
> >> Then they'll cause your browser to send the cookie over HTTP. Even for
> >> sites which appear to be fully https, I still think it's a good idea to
> >> add the secure flag to their cookies.
> >
> > i think peter was suggesting that if the user is running
> > https-everywhere and the rule for the domain has no exceptions then even
> > such an img inclusion scenario will cause the browser to connect back
> > over HTTPS, foiling the attack. That's why the extension exists ;)
>
> Oops, my error! Of course, that's the case.
>
But you're partiall right, too. There are a lot of sites for which our rule
is from="http://(www\.)?domain.com/", and if those have a cookie set for the
entirety of domain.com, an attacker can steal the cookie using an inclusion of
random.junk.domain.com.
So moving forward we should aim to have all rulesets either use securecookies,
target all subdomains (if we're *sure* that doesn't break things -- it often
does), or both.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list