ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

News Article: Insecure Cookies Leak Sensitive Information

<< < (2/2)

mwb1100:
On a somewhat related note (cookie stealing), Coding Horror recently did an article about the fact that cookies should be marked "HttpOnly" to prevent being stolen by JavaScript attacks:

http://www.codinghorror.com/blog/archives/001167.html

I wonder how much stuff would break if browsers changed the protocol to make cookies HttpOnly by default (make websites specifically mark them as "OK for JavaScript") and automatically mark cookies the browser gets via HTTPS/SSL with the 'secure bit'.  Let the website specifically indicate that the cookie is not secure instead of the other way around ('secure by default').

I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.

Ehtyar:
I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.
-mwb1100 (September 14, 2008, 05:11 PM)
--- End quote ---
When I read the article myself, I ran a quick search on mozilla and it does not seem there is an extension for this, nor is there one for the secure bit. I would say it's relatively easy, but I suck at overlays so I'm not your man.

Ehtyar.

Gothi[c]:
And people say I'm paranoid for having cookies disabled by default, and only enabling them on-demand - and after use they are cleared again.

Yes, it's a pain having to type in your password every time you make a forum post etc.- but it's worth it imo. FF extensions like cookiesafe easily let you do this at the click of a mouse.

It's probably also an even better idea to have a separate, sandboxed browser environment to do your online banking on. (Or even use a vm just for the purpose).

Ehtyar:
I use Cookie Monster myself, though I allow sites i frequent/trust permanently, otherwise a site is temporarily allowed permission if necessary, and denied in all other situations.

Ehtyar.

Navigation

[0] Message Index

[*] Previous page

Go to full version