|Submitted by mikeperry on Wed, 08/27/2008 - 03:43|
Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I not release the tool until then. Additionally, Twitter has informed me they are working on a fix as well.
However, I am having difficulty in convincing many other sites that it is important to provide at least optional SSL for their users. Most have simply been silent (one can hope they are fixing the issue in secret?), but a security engineer from one site remarked "this is an attack against the end-user, not the web application itself", and is disinclined to provide even optional SSL for their users to protect themselves, leaving the personal inboxes and outboxes of their users vulnerable to download, and their profiles vulnerable to vandalism. My hope is that eventually, the market will take care of sites like these for us.
A big difficulty seems to be the fact that site admins don't recognize (or don't care about) the fact that their users do not even have to be using their sites when they use an insecure network (which is any network, really) in order to have their cookies stolen. To try to address this (and to underscore the fact that human readable program code qualifies as speech), sometime in the next couple of days, I will write a blog post with excerpts from the core logic loop of CookieMonster along with commentary describing how it is able to grab cookies from any arbitrary site, regardless of if the user even visits them.