Time progression showing vulnerable DNS servers: Red dots represent unpatched servers, yellow dots patched servers with NAT problems, green dots are patched servers.
The problem has gotten a lot of attention with respect to unencrypted GMail sessions, in fact there is now a widely available automated tool which allows you to steal session cookies on
HTTP and HTTPS sites that do not set the cookie secure flag. Surf Jacking Gmail demonstration from Sandro Gauci on Vimeo
However the problems is more widespread than just GMail, although there are still problems even there, and potentially affects a much broader range of sites.
Since so many sites are likely vulnerable, the actual reporting process is probably going to fall on the shoulders of users. To check your sites under Firefox, go to the Privacy tab in the Preferences window, and click on "Show Cookies". For a given site, inspect the individual cookies, and if any have "Send For: Encrypted connections only", delete them. Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer. - Mike Perry
Of course we can't all go hide in a darkened room and realistically, unless you're a high profile target, your chance of getting caught by this vulnerability is fairly low. However potentially at least, this is serious. You email, merchant account, banking and other personal information are potentially at risk. Right now it's not clear how widespread this problem actually is, so be careful out there...
No comments:
Post a Comment