Need More Time to Fix Your Sites? Please contact me
If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who...
View ArticleMicrosoft to Provide Timeline for SSL, Release Date Postponed Further
Microsoft has committed to providing a timeline for fixing the SSL issues with Hotmail/Live by next Friday and has requested that the tool release be postponed at least until then. I will of course...
View ArticleIncomplete List of Alleged Vulnerable Sites
A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or...
View ArticleGoogle Provides Timeline, Twitter Agrees to Provide Secure SSL
Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I...
View ArticleCookieMonster Core Logic, Configuration, and READMEs
This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code...
View ArticleOverview of Web MITM Vulnerabilities
I've realized that the fact that I'm still getting questions to the effect of "How does this attack differ from Robert Graham's 'Sidejacking' attack?" means I did not do a very good job of classifying...
View ArticleFun Snags with Drupal Cookies
Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my...
View ArticleAmazon Employee Fired For Requesting CookieMonster?
About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was...
View ArticleCookieMonster Available for All Site Admins, Bloggers, Students
Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure...
View ArticleIt's about damned time
After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure...
View ArticleNeed More Time to Fix Your Sites? Please contact me
If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who...
View ArticleMicrosoft to Provide Timeline for SSL, Release Date Postponed Further
Microsoft has committed to providing a timeline for fixing the SSL issues with Hotmail/Live by next Friday and has requested that the tool release be postponed at least until then. I will of course...
View ArticleIncomplete List of Alleged Vulnerable Sites
A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or...
View ArticleGoogle Provides Timeline, Twitter Agrees to Provide Secure SSL
Google has committed to providing automatic secure cookie support for https gmail users by 9/4/08 via a mechanism similar but not identical to the method I described in this post, and has requested I...
View ArticleCookieMonster Core Logic, Configuration, and READMEs
This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code...
View ArticleOverview of Web MITM Vulnerabilities
I've realized that the fact that I'm still getting questions to the effect of "How does this attack differ from Robert Graham's 'Sidejacking' attack?" means I did not do a very good job of classifying...
View ArticleFun Snags with Drupal Cookies
Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my...
View ArticleAmazon Employee Fired For Requesting CookieMonster?
About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was...
View ArticleCookieMonster Available for All Site Admins, Bloggers, Students
Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure...
View ArticleIt's about damned time
After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure...
View Article
