FullDisclosure

CookieMonster Available for All Site Admins, Bloggers, Students

Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure for requesting the tool, and many people simply emailed me with no body. Now I'm announcing it again, and also opening up the field to all journalists and all bloggers as well. So, if you would like a copy of the tool, and are a security consultant, teacher, student, blogger, journalist, or site admin, please email me with which sites you admin, write for, blog on, or consult with, and MAKE SURE to put "CookieMonster" in the subject line. If you can't figure out my email address, you are automatically ineligible for the tool ;).

CookieMonster Core Logic, Configuration, and READMEs

This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code counts as speech in this capacity (and in general). In addition, the README that illustrates how the tool is used, and a README describing a "Quick Start" Live CD method for Mac and Windows users who do not have Linux installs are now available. Finally, an example configuration file for the tool is now posted as well. These should hopefully give a clearer picture of how the tool works and how it can be used.

Google Provides Timeline, Twitter Agrees to Provide Secure SSL

Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I not release the tool until then. Additionally, Twitter has informed me they are working on a fix as well.

Incomplete List of Alleged Vulnerable Sites

A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or otherwise link my activity long term and beyond my control. I also hate buying items online because of the data profiling, marketing, identity theft, and privacy issues associated with the inability to use anonymous digital cash, and the requirement for complete tracking of every purchase.

However, a number of people have tested the security properties of their own accounts using the method I outlined at the bottom of this post. What follows are the unofficial, unverified, secondhand results as reported to me. If you are aware of any other sites that seem vulnerable, please contact me and I will add them to the list. Additionally, if you have already been provided a copy of the tool, verification or repudiation of the status of these sites would be much appreciated, as I personally have accounts at almost none of them.

Microsoft to Provide Timeline for SSL, Release Date Postponed Further

Microsoft has committed to providing a timeline for fixing the SSL issues with Hotmail/Live by next Friday and has requested that the tool release be postponed at least until then. I will of course grant this request. I had previously already agreed to delay until end of day on Monday for a similar timeline from Google to provide automatically negotiated secure cookie support, but this does extend things a bit further. However, I will still provide copies of the tool to anyone who contacts me from an email matching the contact info of a domain that is fully paid up with its protection money to the SSL mafia for a current, valid SSL certificate.

Need More Time to Fix Your Sites? Please contact me

If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who need it, please contact me, and I will delay the release of the tool for a short period of time. You should be able to infer my email address from my posting username and the name of this site. As of this date, I still have received no requests for extension from any major websites save Google, and so the tool is currently scheduled for tentative release on EOD Monday. I can also provide pre-release copies of the tool to site maintainers interested in testing their sites.

How to Properly Provide Mixed HTTP and HTTPS Support

I've noticed that many sites seem to want to only support SSL partially, so that they don't have to invest in expensive SSL accelerators. While I can't necessarily say this fits in with my grand design to move the entire web over to SSL for good, if it has to be done, it might as well be done securely. This post attempts to describe the general pattern for how to do it.

Why Full Disclosure?

When I explain the completeness and the automated nature of my HTTPS cookie hijacking tool, the first reaction of many of my friends was to remark "Are you sure it is a good idea to release this?"

Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail, addons.mozilla.org, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks.

Syndicate content