[HTTPS-Everywhere] Flagging cookies as secure
Seth David Schoen
schoen at eff.org
Fri Nov 12 13:11:27 PST 2010
Peter Eckersley writes:
> But you're partiall right, too. There are a lot of sites for which our rule
> is from="http://(www\.)?domain.com/", and if those have a cookie set for the
> entirety of domain.com, an attacker can steal the cookie using an inclusion of
> random.junk.domain.com.
>
> So moving forward we should aim to have all rulesets either use securecookies,
> target all subdomains (if we're *sure* that doesn't break things -- it often
> does), or both.
But there's no way to target all subdomains under the <target>
mechanism without eliminating all the efficiency benefits of <target>.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list