[HTTPS-Everywhere] Sites that already enforce HTTPS
Maxim Nazarenko
nz.phone at mail.ru
Wed Aug 31 17:38:40 PDT 2011
I see. Now I agree that such rules should be kept.
Best regards,
Maxim Nazarenko
On 31 August 2011 17:32, Micah Lee <micah at eff.org> wrote:
> On 08/31/2011 05:20 PM, Erik Harris wrote:
>> There's still an initial unsecure connection that can be intercepted
>> (I'm not sure I buy that there's any significant risk to that, but it's
>> still an unsecure connection).
>
> If the website in question didn't set the secure flag on the session
> cookie (which they really should if they're already forcing https), that
> initial connection is enough for someone to hijack your session because
> your cookie will get sent in plaintext.
>
> If the website in question forces https and uses secure cookies, a tool
> like sslstrip can prevent the redirecting to https and you might not
> notice. The attacker using sslstrip will still be making an https
> connection to the server, but you'll be making an http connection to the
> attacker.
>
> --
> Micah Lee
> Web Developer - Electronic Frontier Foundation
> micah at eff.org - https://www.eff.org/
> Join the EFF - https://www.eff.org/join
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
More information about the HTTPS-everywhere
mailing list