One problem with the way placed HTTP cookies can ensure that attackers can circumvent HTTPS and can steal private information, warns the CERT Coordination Center (CERT / CC) at Carnegie Mellon University. The problem is in all major browsers.
The problem is that the standard for cookies specifies no mechanism for separation and integrity and browsers do not always authenticate the domain settings of a cookie. An attacker could use this to set a cookie that is used later for an HTTPS connection, instead of the cookie from the website. An attacker can therefore a cookie for example.com locations on the computer that the actual cookie for www.example.com overwrites the victim loads HTTPS content. By another vulnerability used in the server use the cookie to the attacker to obtain private information.
The investigators who have the problem during the last USENIX Security Symposium discussed state that a cookie a so-called "secure flag" may contain, indicating that it has to be sent only over a HTTPS connection. However, there is no corresponding flag that indicates how the cookie is placed. An attacker could via a man-in-the-middle thus inject cookies used on subsequent HTTPS connections. According to the CERT / CC are there attempts to secure cookie management undertaken but all failed due to a lack of a widely implemented standard.
As a solution, the organization that the standard must be adjusted for cookies. In the meantime, the researchers advise websites HSTS (HTTP Strict Transport Security) for a top-level domain to set up and use the "includeSubDomains" option.This partly avoids the possibility of an attacker to place top-level cookies cookies for a subdomain, such as www.domeinnaam.tld override. End users are advised to use the latest browser version. In particular IE users make wise here. Internet Explorer 11 is the only IE version that supports HSTS.
No comments:
Post a Comment