|Submitted by mikeperry on Thu, 09/25/2008 - 07:16|
Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure for requesting the tool, and many people simply emailed me with no body. Now I'm announcing it again, and also opening up the field to all journalists and all bloggers as well. So, if you would like a copy of the tool, and are a security consultant, teacher, student, blogger, journalist, or site admin, please email me with which sites you admin, write for, blog on, or consult with, and MAKE SURE to put "CookieMonster" in the subject line. If you can't figure out my email address, you are automatically ineligible for the tool ;).
I know, I know, I should just bite the bullet and post a link to the tool. But I want to make sure that word is spread thoroughly, and that sites that are serious about protecting their users from this attack have time (within reason) to secure themselves. Gmail in particular is still ironing out some final bugs in their mixed mode https-is-really-secure implementation, so I've decided to be Mr. Nice Guy and at least wait for them. Hey, maybe they'll return the favor and make their obnoxious query rate limiting system at least actually present captchas for Tor users instead of outright blocking us? Here's hoping ;)