DEFCON16

Need More Time to Fix Your Sites? Please contact me

If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who need it, please contact me, and I will delay the release of the tool for a short period of time. You should be able to infer my email address from my posting username and the name of this site. As of this date, I still have received no requests for extension from any major websites save Google, and so the tool is currently scheduled for tentative release on EOD Monday. I can also provide pre-release copies of the tool to site maintainers interested in testing their sites.

Why Full Disclosure?

When I explain the completeness and the automated nature of my HTTPS cookie hijacking tool, the first reaction of many of my friends was to remark "Are you sure it is a good idea to release this?"

Why the Gmail HTTPS "Fix" Isn't

About a week before my talk, Google announced that they are "making security easier" by providing people with the option of using only https for gmail. I think this "fix" is still broken for several reasons.

Syndicate content