Need More Time to Fix Your Sites? Please contact me

If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who need it, please contact me, and I will delay the release of the tool for a short period of time. You should be able to infer my email address from my posting username and the name of this site. As of this date, I still have received no requests for extension from any major websites save Google, and so the tool is currently scheduled for tentative release on EOD Monday. I can also provide pre-release copies of the tool to site maintainers interested in testing their sites.

How to Properly Provide Mixed HTTP and HTTPS Support

I've noticed that many sites seem to want to only support SSL partially, so that they don't have to invest in expensive SSL accelerators. While I can't necessarily say this fits in with my grand design to move the entire web over to SSL for good, if it has to be done, it might as well be done securely. This post attempts to describe the general pattern for how to do it.

Why Full Disclosure?

When I explain the completeness and the automated nature of my HTTPS cookie hijacking tool, the first reaction of many of my friends was to remark "Are you sure it is a good idea to release this?"

Why the Gmail HTTPS "Fix" Isn't

About a week before my talk, Google announced that they are "making security easier" by providing people with the option of using only https for gmail. I think this "fix" is still broken for several reasons.

Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail,, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks.

CookieMonster: Cookie Hijacking

Cookiemonster is a proof of concept python-based cookie hijacking utility that is able to capture cookies of improperly secured HTTPS sites via the local network. In its default mode of operation, Cookiemonster tracks the HTTPS sites visited by a each local client IP and then automatically injects HTML elements for each HTTPS domain into subsequent regular HTTP requests to a particular client. This causes any insecure HTTPS cookies from the automatically collected target domains to be transmitted unencrypted for capture by Cookiemonster, which then writes them into Firefox 2.0 or 3.0 compatible cookie files.

TorFlow: Tor Network Analysis

TorFlow is set of python scripts written to scan the Tor network for misbehaving, misconfigured, and overloaded Tor nodes. The ultimate goal is to build an automated, distributed reputation system that feeds into the Tor directory servers and provides them with information on the stability, capacity, and trustworthiness of routers, so that they can set flags that clients can use in routing decisions. This is admittedly a lofty goal. In the meantime it should be able to figure out a bunch of neat stuff about Tor.

Syndicate content