Google Provides Timeline, Twitter Agrees to Provide Secure SSL
Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I...
View ArticleCookieMonster Core Logic, Configuration, and READMEs
This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code...
View ArticleOverview of Web MITM Vulnerabilities
I've realized that the fact that I'm still getting questions to the effect of "How does this attack differ from Robert Graham's 'Sidejacking' attack?" means I did not do a very good job of classifying...
View ArticleFun Snags with Drupal Cookies
Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my...
View ArticleAmazon Employee Fired For Requesting CookieMonster?
About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was...
View ArticleCookieMonster Available for All Site Admins, Bloggers, Students
Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure...
View ArticleFarewell to Riverbed (So long and thanks for all the bits!)
I've spent the past four and a half years of my professional life working on reverse engineering and accelerating the Microsoft Exchange email protocol for Riverbed Technology, Inc. It's been a...
View ArticleIt's about damned time
After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure...
View ArticlePrepaid Cell Phone ID: National Security Through Sales Clerks?
The Washington Post was first to break the story on the proposal of Senators Schumer and Cornyn to require prepaid cell phone purchasers to provide ID. Now, most of the media has been reporting in the...
View ArticleSomething is Rotten in #opdarknet
Update 11/2/11 @ 4:50pm: I again have experienced a DDoS against fscked.org, again through Tor (though some IPs also appeared to be non-Tor), shortly after posting this article. It seems to have...
View ArticleIncomplete List of Alleged Vulnerable Sites
A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or...
View ArticleIncomplete List of Alleged Vulnerable Sites
A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or...
View ArticleGoogle Provides Timeline, Twitter Agrees to Provide Secure SSL
Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I...
View ArticleCookieMonster Core Logic, Configuration, and READMEs
This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code...
View ArticleOverview of Web MITM Vulnerabilities
I've realized that the fact that I'm still getting questions to the effect of "How does this attack differ from Robert Graham's 'Sidejacking' attack?" means I did not do a very good job of classifying...
View ArticleFun Snags with Drupal Cookies
Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my...
View ArticleAmazon Employee Fired For Requesting CookieMonster?
About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was...
View ArticleCookieMonster Available for All Site Admins, Bloggers, Students
Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure...
View ArticleFarewell to Riverbed (So long and thanks for all the bits!)
I've spent the past four and a half years of my professional life working on reverse engineering and accelerating the Microsoft Exchange email protocol for Riverbed Technology, Inc. It's been a...
View ArticleIt's about damned time
After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure...
View Article
