What is Digg?52 Comments
- ironeus, on 08/10/2008, -1/+35"Always Use https" is definitely the best tip for preventative measures.
- FaceoffCircle, on 08/11/2008, -1/+22***** you i didn't touch the ***** cookie, bitch
- isuisorisuaint, on 08/11/2008, -0/+14just go to settings and scroll all the way down on the 'general' tab...select 'always use https'.
- lead2thehead, on 08/11/2008, -0/+9How to protect yourself:
1) Go to your gmail settings and chose "Always use https". It's the very last setting.
2) PAY ATTENTION TO BROWSER WARNINGS. Have you ever seen that pop-up that says "The page contains both secure and non-secure items. Do you want to display the non-secure items?" This message may as well say, "Would you like to enable cross site scripting attacks?"
If you click "yes", it will load the http content and open you up to attack. Click "no" and it will only display the https content and your cookies won't get hijacked. - MasteRR, on 08/11/2008, -0/+8I still don't understand why Google does not just do https by default and force it. Sure, it may create a slight more load on the servers, but the users security is much more important. If you are going to give the option, then force it.
- Jeffler, on 08/11/2008, -2/+9Couldn't be!
- CtrlAltDeleteDi, on 08/11/2008, -1/+8alert("XSS")
- dist0rtedwave, on 08/11/2008, -0/+7Since the link goes to the front page, no the actual article (it works now, but not in the future) here is the permalink
http://voices.washingtonpost.com/securityfix/2008/ ...
Also, even though it is frightening to know that google can make mistakes, it does seem like they are willing to take steps to make them better. My problem is that there seems to be no public notification on google's part that this could happen, and that enabling the new setting is the best way to stop it. - Shadowgamers, on 08/11/2008, -1/+8"all that an attacker sniffing traffic on your network"
Cookie stealing isn't something new. Neither is sniffing a network. - Jeffler, on 08/11/2008, -3/+9Not me!
- VGBlast, on 08/11/2008, -2/+8Then WHO??
- VGBlast, on 08/11/2008, -2/+8Yes, you!
- inactive, on 08/11/2008, -2/+7finally. a useful digg article
- Jeffler, on 08/11/2008, -2/+7FaceoffCircle stole the cookies from the cookie jar!
- fas2, on 08/11/2008, -0/+3RTFA
- sonofffej, on 08/11/2008, -11/+14Finally, and answer to the age-old question, "Who stole the cookie from the cookie jar?"
- gurudrew, on 08/11/2008, -0/+2The option does not appear to be available yet for the Google toolbar or in Gmail for Google Apps.
- ctrlfreak13, on 08/11/2008, -1/+3Yes, it definitely is, thank god Google finally added it, I'd been forcing it through the CustomizeGoogle Firefox extension for years. It's a shame that Google hasn't yet put it as the default setting.
- sysop073, on 08/11/2008, -0/+2"Remember... the two browser tabs can talk to each other and see each other's cookies"
Wait, what? - ParanoydAndroid, on 08/11/2008, -0/+2dumbass
- xptoast, on 08/11/2008, -0/+2Thank you for having this in a nice little package to follow.
Is there a way to get FireFox to never allow you to open secure and non secure things as a default? - MasteRR, on 08/11/2008, -0/+2I'll be impressed when it is forced on for everyone.
- mishaco, on 08/11/2008, -0/+2Wait tip that hacker finds out that gmail is my spam trap
- fas2, on 08/11/2008, -1/+2Does anyone have an explanation for why Google put that off for so long and even now does not take appropriate measures?
- inajeep, on 08/11/2008, -0/+1I was using it on my iGoogle pages too too but some of the tools such as the google finance tool doesn't function with HTTPS.
- HomerPimpson4, on 08/11/2008, -1/+2It was Cookie Crook and Chip the Dog.
- Millsee, on 08/11/2008, -0/+1*****... reported and blocked also...
- joshualamgroup, on 08/11/2008, -0/+1WRONG. Read the article..
A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://). - Michaelabehsera, on 08/10/2008, -5/+6cool, finally:)
- decavolt, on 08/11/2008, -0/+1And that was covered in the article as well:
" I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it"
The article isn't about cookie stealing or packet sniffing being new. It's about new features Google just released for Gmail to help prevent those attacks. - ParanoydAndroid, on 08/11/2008, -0/+1To whom are you responding? It appears as if the reply is to Ironeus, who is in fact correct. If you further read the article they note that the vulnerability discussed depends on the cookie *not* being marked as secure, so that the attacker can force the computer to present the cookie when the user is in an unecrypted session (e.g. user is requesting http://digg.com and the attacker appends a 1x1 mail.google.com image to load). Google by default provides an https connection solely for login, and the rest of the session is http using an un-secured cookie/sessionID
However, if you use the "always use https" option, then the login session, and browsing session for the entirety of the site will be in https, as well as having the cookies marked as "secure" - so no matter what, they will not be transmitted over an un-secured connection - negating this vector of attack. - jellygraph, on 08/11/2008, -0/+1Dugg down, reported to Digg and blocked... Have a nice day
- Rocco03, on 08/11/2008, -0/+1It says the content has to be served from mail.google.com.
How can they see the cookies I'm sending to a server they don't control? - MasteRR, on 08/11/2008, -0/+1Some work, some don't. It's a shame these providers haven't thought kindly enough of our data to just force it for everything. Sure, if you are smart you can protect yourself but Joe Blow who knows jack about security is the one who is going to suffer when he accesses his mail from an open wifi network.
- joerite, on 08/11/2008, -1/+1I saw this last year.
- lead2thehead, on 08/11/2008, -0/+0You could do it that way, but this attack is much more simple. They just send you an email with embedded http content. Ever seen that pop up window that says, "This webpage contains both secure and non-secure items. Would you like to display the non-secure items?"... Click yes and you're owned.
- lead2thehead, on 08/11/2008, -0/+0And NEVER click "yes" when it asks you if you want to display non-secure items.
- zspitfire04, on 08/11/2008, -4/+4http://www.perfectduluthday.com/cookiemonster2.jpg
- Rocco03, on 08/11/2008, -1/+1"All that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com"
If I understand correctly, the only way they can steal your cookies is by hacking your network or using the DNS vulnerability. - geekworking, on 08/11/2008, -0/+0The key piece that you are missing is that the attacker is sniffing all traffic on the network segment. They are not stealing the cookie from your browser, they are watching the information go across the wire. Any checks within the browser are irrelevant because the information has already left your computer.
They only defense is to encrypt (https, vpn tunnel, etc.) the data before it leaves your computer. - mike503, on 08/11/2008, -0/+0Still not there for Google Apps for Your Domains.
Would be nice :P - noth, on 08/11/2008, -2/+2Not sure what you mean by that "Finally added", I've had my shortcut pointing to https://gmail.google.com for at least a year..
- entertainchange, on 08/11/2008, -1/+1I prefer less advanced articles about the internet like the ones in the Wall Street Journal: http://digg.com/tech_news/Bad_Advice_in_the_Wall_S ...
- lead2thehead, on 08/11/2008, -2/+1Because it's slower and users are impatient.
- diecastbeatdown, on 08/11/2008, -3/+2finally added? it's always been there, no plugin needed.
just type in https://gmail.google.com - CynicalTyler, on 08/11/2008, -2/+1"I'm guessing many sites do not set the secure bit on their session cookies because it saves them money."
Damn you greedy customers! Always trying to get as many bits as you can; you'll drive us out of business! - z01inks, on 08/11/2008, -2/+1give me a break, privacy is dead. if you're putting anything in email that could torch you you're just plain stupid. don't believe the hype
- Dukaso, on 08/11/2008, -5/+3https://mail.google.com
- mttyd, on 08/11/2008, -5/+3MMM COOKIE OM NOM NOM!!!!
- lead2thehead, on 08/11/2008, -2/+0Okay... my fault. They described several variations of this attack at DefCon, and unfortunately, this reporter didn't explain them very well. The one I just described was the traditional cookie hijacking trick.
The one you're talking about involves having TWO browser windows or tabs open at the same time. One of them is gmail, and the other one is a compromised site. Remember... the two browser tabs can talk to each other and see each other's cookies. So the attackers page would hotlink to an image that's hosted on http://mail.google.com. ...one that you can't see unless you log in. Since the user is already logged in to gmail on the first window, it won't prompt the second window for a password. The second window will automatically log into gmail using the cached credentials from the first window. BUT... since the connection on the first window uses http and not https, it requests a non-secure cookie. The attacker then steals the non-secure cookie, pulls your credentials out of it and takes control of your gmail account.
(WHEW!) -
Show 51 - 52 of 52 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is 