Skip to content.

TalkBMC

Sections
You are here: Home » Blog Archive » Jeff Bohren » The Identity Management Expert » Much Ado about Cookies

Much Ado about Cookies Much Ado about Cookies

Document Actions
Much Ado about Cookies
There was recently an article about a demonstration about hijacking a GMail session via cookie theft (hat tip to Stefan Brands). It’s also here. Conor Cahill has some good comments on this here, and Vikram Kumar has some thoughts here.

There are two interesting things about this to me. The first is that this is being presented as a WiFi hack. WiFi has little to do with this, except to make a known security weakness easier to exploit. Cookie theft has long been known as a serious potential problem for any web application that does not use SSL all post authentication traffic.

The second interesting thing is that it points out an interesting imbalance in how authentication is viewed. Most people think of web authentication as being the point at which the user puts in his user ID and password, or authenticates via some other means such as Information Card, SAML, OTP, etc. What is often missed is that most web applications require re-authentication of the user for almost every request after the initial authentication, which is often called session authentication. Because of this imbalance we have a dizzying array of authentication methods to initiate a session, but very few means of performing session authentication afterwards. By far the most common means of session authentication is some form of cookie.

In other words, it doesn’t matter if a web application does the initial authentication via user ID and password, SecureID, OpenID, SAML, WS-Federation or anything esle. Once the session is started it is vulnerable to hijacking if cookies are not protected via SSL (or some other means). Encrypting the cookie provide little benefit. The attacker can use the encrypted value just as easily to hijack the session.

Note also that most alternatives to cookies as a means of session authentication are just as vulnerable. Some alternatives are:

URL Tokens - a session handle is added to the URL. This is hardly ever used anymore because it requires that the same unique handle be added to all URLs in each page that is part of the web application. This provides very little benefit as the URL can be sniffed just as easily as a cookie can.

IP Address - again, this can be easily sniffed and it is easy to spoof.

HTTP Basic Authentication - combines the ease of sniffing and hijacking with added deficiency of sending your user ID and password unencrypted on every request.

HTTP Digest Authentication - only slightly better that HTTP Basic in that the password is encrypted, but it’s still vulnerable to hijacking.

Macromedia Flash Local Stored Objects - this is used by SiteKey as part of it’s authentication scheme. Just as easy to sniff.


_____
tags:
Monday, August 06, 2007  |  Permalink |  Comments (1)

I run into this constantly!

Posted by Dmitry Kagansky at 2007-08-07 02:01
I run into this situation at lease every few weeks where we have customers that want to do some sort of authentication for a web app, and forget about the fact that (almost always) SSL is still needed and recommended. As you point out, no matter how you start the conversation, the dialog still has to remain secure after the initial contact.

The sad thing is that you actually have to go out of your way to get an SSL session through gmail. I wonder why? Most mail packages/sites go the other way (start unsecure, and move to secure) but gmail just keeps it unsecure. Very strange behavior.
 
Powered by Plone

This site conforms to the following standards: