Skip to main content

Cookies MONSTER your security, even with encryption

posted onSeptember 25, 2015
by l33tdawg

A whole lot of work rolling out HTTP security is being undermined by bad browser implementation that facilitates man-in-the-middle attacks.

CERT has warned that all of the major browser vendors have a basic implementation error that mean “cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information”.

The problem was first revealed at Usenix, and the good news for users is that the browser makers have now caught up with the problem, so if you're using the latest versions of Safari, Chrome, IE (11 or later only), Mozilla, Opera or Vivaldi, you're in the clear. Unprotected browsers accept cookies via HTTPS, but they didn't check the source of an HTTPS cookie. As the advisory states:

Source

Tags

Security Encryption

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th