Google Provides Timeline, Twitter Agrees to Provide Secure SSL

Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I not release the tool until then. Additionally, Twitter has informed me they are working on a fix as well.

However, I am having difficulty in convincing many other sites that it is important to provide at least optional SSL for their users. Most have simply been silent (one can hope they are fixing the issue in secret?), but a security engineer from one site remarked "this is an attack against the end-user, not the web application itself", and is disinclined to provide even optional SSL for their users to protect themselves, leaving the personal inboxes and outboxes of their users vulnerable to download, and their profiles vulnerable to vandalism. My hope is that eventually, the market will take care of sites like these for us.

A big difficulty seems to be the fact that site admins don't recognize (or don't care about) the fact that their users do not even have to be using their sites when they use an insecure network (which is any network, really) in order to have their cookies stolen. To try to address this (and to underscore the fact that human readable program code qualifies as speech), sometime in the next couple of days, I will write a blog post with excerpts from the core logic loop of CookieMonster along with commentary describing how it is able to grab cookies from any arbitrary site, regardless of if the user even visits them.

...

Oh hell, you might as well not release the tool at all then, jeez, what started as altruistic bowing to major corporate pressure has degenerated into bending over for anyone who cries that they don't have enough time to fix the problem...a problem that has been known for over a year now. And sadly, even the security researchers are capitulating.

/sigh

Heh

I sense something of a disgruntled script kiddie in you.. But don't worry. At some point very soon, I will begin providing copies of the tool to people with unofficial SSL certs. At the 30 day mark past the talk (9/9/08 or so), I will provide it to anyone who asks who wants to verify my claims and the claims of others that many sites are vulnerable and are not responding. Soon after that, no matter what I do, the tool will be out there. And even if it isn't, there's always airpwn+wireshark's tshark, which together provided a manual exploitation method for the past several years..

However, it seems very silly to release the tool publicly when some sites are agreeing to fix the problem and quickly working on a fix. Having the tool under some level of control actually is buying me a lot of leverage to get people to do SSL and do it right, fast. Releasing the tool causes me to lose a lot of that leverage (especially with respect to timing motiviation), and the only leverage that will remain is public embarrassment at that point..

So yes, maybe I am "bowing to corporate pressure". But when these corporate interests agree to securing their sites and their users in a reasonable amount of time, I do feel obligated to give them that time. However, if Microsoft or anyone else comes back with any date much past 9/9/08, they are likely to find themselves at the mercy of the Internet...

Sadly, Google Apps for

Sadly, Google Apps for domains does not yet provide users with the HTTPS always option and loads the start page via HTTP...

http://packetstormsecurity.or

http://packetstormsecurity.org/0809-advisories/drupal-hijack.txt

This is what you get for waiting to disclose; others claiming credits for your work.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
  _   _  __  __ __     __      _   _____
| | | | \ \/ / \ \ / / | | |__ /
| | | | \ / \ \ / / _ | | / /
| |_| | / \ \ V / | |_| | / /_
\___/ /_/\_\ \_/ \___/ /____|
Enter the code depicted in ASCII art style.