Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail,, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks. is reborn

They say that after 7-10 years, every atom that makes up your body has been replaced. Brand new stardust, as it were. Well, this domain turned 8 last year when I took down all the content. It turned 9 today, and so like a phoenix rising from the ashes, has been reborn.

My How Things Have Changed

What follows is an expert from my old blog in 2003 about the Microsoft graduating intern barbecue held at Bill Gates's house on Lake Washington. It's very interesting to compare and contrast with Microsoft's recent attempts to cozy up with the open source community and court developers. Makes me wonder if someone at Microsoft saw this journal entry before I took it down :)

Syndicate content