1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cookie handling in browsers can break HTTPS security

Discussion in 'CSO' started by RSS, Sep 25, 2015.

  1. RSS

    RSS New Member Member

    Cookies, the files that websites create in browsers to remember logged-in users and track other information about them, could be abused by attackers to extract sensitive information from encrypted HTTPS connections.

    The issue stems from the fact that the HTTP State Management standard, or RFC 6265, which defines how cookies should be created and handled, does not specify any mechanism for isolating them or checking their integrity.

    As such, Web browsers don't always authenticate the domains that set cookies. That allows malicious attackers to inject cookies via plain HTTP connections that would later be transmitted for HTTPS connections instead of those set by the HTTPS sites themselves, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University said in an advisory Thursday.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page