Cookie handling in browsers can break HTTPS security

By September 25, 2015 News

By Lucian Constantin Cookies, the files that websites create in browsers to remember logged-in users and track other information about them, could be abused by attackers to extract sensitive information from encrypted HTTPS connections.The issue stems from the fact that the HTTP State Management standard, or RFC 6265, which defines how cookies should be created and handled, does not specify any mechanism for isolating them or checking their integrity.[ Build and deploy an effective line of defense against corporate intruders with InfoWorld’s Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld’s Security newsletter. ]As such, Web browsers don’t always authenticate the domains that set cookies. That allows malicious attackers to inject cookies via plain HTTP connections that would later be transmitted for HTTPS connections instead of those set by the HTTPS sites themselves, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University said in an advisory Thursday.To read this article in full or to leave a comment, please click here …read more

Pin It on Pinterest

Share This