[HTTPS-Everywhere] Sites that already enforce HTTPS
Micah Lee
micah at eff.org
Wed Aug 31 17:32:26 PDT 2011
On 08/31/2011 05:20 PM, Erik Harris wrote:
> There's still an initial unsecure connection that can be intercepted
> (I'm not sure I buy that there's any significant risk to that, but it's
> still an unsecure connection).
If the website in question didn't set the secure flag on the session
cookie (which they really should if they're already forcing https), that
initial connection is enough for someone to hijack your session because
your cookie will get sent in plaintext.
If the website in question forces https and uses secure cookies, a tool
like sslstrip can prevent the redirecting to https and you might not
notice. The attacker using sslstrip will still be making an https
connection to the server, but you'll be making an http connection to the
attacker.
--
Micah Lee
Web Developer - Electronic Frontier Foundation
micah at eff.org - https://www.eff.org/
Join the EFF - https://www.eff.org/join
More information about the HTTPS-everywhere
mailing list