Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

ronjor · Sep 24, 2015

Original Release date: 24 Sep 2015 | Last revised: 24 Sep 2015

Overview
RFC 6265 (previously RFC 2965) established HTTP State Management, also known as "cookies". In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information.
Click to expand...

http://www.kb.cert.org/vuls/id/804060

Amanda · Sep 24, 2015

I wonder why nobody fixed this, even though they were notified several months ago.

I'm not sure I understoo the issue correctly, but if I block all cookies by default and only allow certain cookies to be stored (such as this website), I'm safe form this vulnerability?

ronjor · Sep 25, 2015

Cookies can render secure websites vulnerable in all modern browsers
Martin Anderson Thu 24 Sep 2015 4.40pm
CERT have issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information – and that modern browsers, including Apple’s Safari, Mozilla’s Firefox and Google’s Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique.
Click to expand...

https://thestack.com/security/2015/...e-websites-vulnerable-in-all-modern-browsers/

Log in or Sign up

Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

ronjor Global Moderator

Amanda Registered Member

ronjor Global Moderator

Log in or Sign up

Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

ronjor Global Moderator

Amanda Registered Member

ronjor Global Moderator

Useful Searches