|Submitted by mikeperry on Thu, 12/25/2008 - 08:33|
After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure their sites properly, but unfortunately, it is still the case that many sites still are vulnerable. In fact, even after much correspondence with Google on the subject, it is still possible to hijack the GMail accounts of users who attempt to use https but are unaware of the Always Use HTTPS Preference. Using Cookiemonster's FULL_BOUNCE_FOR config option to redirect those users to the plain http://mail.google.com url will still cause Google to re-issue an insecure version of their 'GX' cookie which a local attacker can then sniff to hijack their Gmail accounts...
However I'm not releasing the tool out of vengeance against any sites that may have not yet secured themselves. More practically, I cannot continue to manage the release of the tool by emailing copies to select individuals. As I have argued before, I still believe the tool is has more positive impact if it is released, has a better positive impact if it is released, for web developers and students to study and play with.
I actually intended to post the tool much earlier than this, but had been sidetracked by the desire to clean up commit back patches that I've made to the support libraries cookiemonster uses. I also needed a vacation. The addition of this project effectively meant I was working 3 jobs: my dayjob, work with the Tor project, and managing this disclosure process and tool updates. So I spent the last couple months putting these volunteer projects on hold and relaxing as much as I can to rest up and avoid total burnout while I finished up at Riverbed and prepared to transition to full time at the Tor Project.
Patches are welcome. Maybe at some point I or someone else will update it for FC10 Live CDs, ethernet, and write some test cases for Dug Song for the dpkt 802.11 support Damon McCoy and I wrote. I wouldn't hold your breath though :)