Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

secure cookie on a public site

PU
Pankaj Upadhyay
Mon, Mar 21, 2011 1:52 PM

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?

--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/

If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help? -- Thanks, Pankaj Upadhyay http://pupadhyay.blogspot.com/
DR
David Rajchenbach-Teller
Mon, Mar 21, 2011 4:17 PM

Well, if there's nothing confidential, chances are that there's no risk to data.
More precisions on what you'd like to protect against might be useful here.

--
David Rajchenbach-Teller
CSO, MLstate

On Mar 21, 2011, at 2:52 PM, Pankaj Upadhyay wrote:

If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help?

--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Well, if there's nothing confidential, chances are that there's no risk to data. More precisions on what you'd like to protect against might be useful here. -- David Rajchenbach-Teller CSO, MLstate On Mar 21, 2011, at 2:52 PM, Pankaj Upadhyay wrote: > If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help? > > -- > Thanks, > Pankaj Upadhyay > http://pupadhyay.blogspot.com/ > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
MZ
Michal Zalewski
Mon, Mar 21, 2011 5:08 PM

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here?

In such a case, the primary risk, regardless of how the cookies are
flagged, is that they may be still set over HTTP (e.g., by
network-level attackers on wifi networks). Thus, any reliance on them
within the HTTPS context should be done with extreme caution.

/mz

> If a site is running on https channel but the content is not confidential > and the site uses a few cookies which are not secure and do not contain any > confidential/sensitive data, what is the risk associated here? In such a case, the primary risk, regardless of how the cookies are flagged, is that they may be still set over HTTP (e.g., by network-level attackers on wifi networks). Thus, any reliance on them within the HTTPS context should be done with extreme caution. /mz
AJ
Arian J. Evans
Mon, Mar 21, 2011 5:09 PM

What do you mean by "secure cookies"?

  1. Do you mean the =secure bit?

  2. Do you mean some other control like checksums, or cryptographic obfuscation?

In general if the cookies have no value then I wouldn't waste time on
them. However, if users log into the application, and one or more
cookie values control their authentication and authorization, then the
cookies may have value.

#1: setting the =secure bit simply prevents the browser from
transmitting the cookies over non-SSL connections on the same site
(leaking them in cleartext). If the cookies don't matter, this doesn't
matter. =secure can break the application if there are non-SSL
functions that need the cookies marked =secure.

#2 has implementation overhead, and can have performance implications.
Not worth the time if the app has no confidential data and the cookies
aren't used for anything sensitive or that has security implications
(like session).

There are probably more important things to focus on in the
application, like ensuring that there are no exposures to injection
attacks. etc.

Arian Evans
==Secure

On Mon, Mar 21, 2011 at 6:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?

--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

What do you mean by "secure cookies"? 1) Do you mean the =secure bit? 2) Do you mean some other control like checksums, or cryptographic obfuscation? In general if the cookies have no value then I wouldn't waste time on them. However, if users log into the application, and one or more cookie values control their authentication and authorization, then the cookies may have value. #1: setting the =secure bit simply prevents the browser from transmitting the cookies over non-SSL connections on the same site (leaking them in cleartext). If the cookies don't matter, this doesn't matter. =secure can break the application if there are non-SSL functions that need the cookies marked =secure. #2 has implementation overhead, and can have performance implications. Not worth the time if the app has no confidential data and the cookies aren't used for anything sensitive or that has security implications (like session). There are probably more important things to focus on in the application, like ensuring that there are no exposures to injection attacks. etc. --- Arian Evans ==Secure On Mon, Mar 21, 2011 at 6:52 AM, Pankaj Upadhyay <mr.p.upadhyay@gmail.com> wrote: > If a site is running on https channel but the content is not confidential > and the site uses a few cookies which are not secure and do not contain any > confidential/sensitive data, what is the risk associated here? As i've read, > cookies should be secure but i am not able to justify it to myself. Could > anyone please help? > > -- > Thanks, > Pankaj Upadhyay > http://pupadhyay.blogspot.com/ > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >
RT
Robin Tiwari
Mon, Mar 21, 2011 5:34 PM

Important things here to understand about the cookie. Cokkie generally
contains user session ID or may be some other non senstive data.But if
the session ID compromises than it will create a huge risk.

On 3/21/11, Michal Zalewski lcamtuf@coredump.cx wrote:

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain
any
confidential/sensitive data, what is the risk associated here?

In such a case, the primary risk, regardless of how the cookies are
flagged, is that they may be still set over HTTP (e.g., by
network-level attackers on wifi networks). Thus, any reliance on them
within the HTTPS context should be done with extreme caution.

/mz

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
Thanks & Regards

Robin Tiwari
Security Anlayst

Important things here to understand about the cookie. Cokkie generally contains user session ID or may be some other non senstive data.But if the session ID compromises than it will create a huge risk. On 3/21/11, Michal Zalewski <lcamtuf@coredump.cx> wrote: >> If a site is running on https channel but the content is not confidential >> and the site uses a few cookies which are not secure and do not contain >> any >> confidential/sensitive data, what is the risk associated here? > > In such a case, the primary risk, regardless of how the cookies are > flagged, is that they may be still set over HTTP (e.g., by > network-level attackers on wifi networks). Thus, any reliance on them > within the HTTPS context should be done with extreme caution. > > /mz > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- Thanks & Regards Robin Tiwari Security Anlayst
SK
Santhosh Kumar K
Tue, Mar 22, 2011 4:22 AM

Hi,

It's always a good security practice to set cookies with secure attribute when HTTPS is used. How can you confirm there is no confidential information in the cookie. It might not contain now but web app developers might include some in later stages. Always Prevention is better then Cure.

Regards,
Santhosh Kumar

From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Pankaj Upadhyay
Sent: Monday, March 21, 2011 7:23 PM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] secure cookie on a public site

If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help?

--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/

The information in this e-mail and any attachments is confidential and may be legally privileged.
It is intended solely for the addressee or addressees. Any use or disclosure of the contents
of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful.
If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and
do not necessarily represent those of TEMENOS.
We recommend that you check this e-mail and any attachments against viruses.
TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.

Hi, It's always a good security practice to set cookies with secure attribute when HTTPS is used. How can you confirm there is no confidential information in the cookie. It might not contain now but web app developers might include some in later stages. Always Prevention is better then Cure. Regards, Santhosh Kumar From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Pankaj Upadhyay Sent: Monday, March 21, 2011 7:23 PM To: websecurity@lists.webappsec.org Subject: [WEB SECURITY] secure cookie on a public site If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help? -- Thanks, Pankaj Upadhyay http://pupadhyay.blogspot.com/ The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.
CH
Christian Heinrich
Tue, Mar 22, 2011 5:48 AM

Pankaj,

On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?

If confidentiality (i.e. commercial in confidence information,
sessions cookies) is not a concern then can you clarify the business
drivers for HTTPS?

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Pankaj, On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay <mr.p.upadhyay@gmail.com> wrote: > If a site is running on https channel but the content is not confidential > and the site uses a few cookies which are not secure and do not contain any > confidential/sensitive data, what is the risk associated here? As i've read, > cookies should be secure but i am not able to justify it to myself. Could > anyone please help? If confidentiality (i.e. commercial in confidence information, sessions cookies) is not a concern then can you clarify the business drivers for HTTPS? -- Regards, Christian Heinrich http://cmlh.id.au/contact
PU
Pankaj Upadhyay
Tue, Mar 22, 2011 5:07 PM

Let me rephrase my question:

Firstly by secure cookie, I meant the setSecure flag. One of our customers
has a site running on HTTPS. I am not sure about the business drivers for
that but this site is using some CMS and divided into two broad sections -
one is public site with no authentication and other is secure site with the
authentication. Home page of the site comes under the public site and when
browser requests for the home page, response sets a CMS session cookie and
this cookie's secure flag is not set.

As per the best practices, this cookie should be secure but my question was
even if it is not secure and can be compromised, is there 'any other' risk
associated with it in the present scenario?

BTW thank you everyone. I think I have got my answers. Thanks for the
replies.

On Tue, Mar 22, 2011 at 11:18 AM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:

Pankaj,

On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:

If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain

any

confidential/sensitive data, what is the risk associated here? As i've

read,

cookies should be secure but i am not able to justify it to myself. Could
anyone please help?

If confidentiality (i.e. commercial in confidence information,
sessions cookies) is not a concern then can you clarify the business
drivers for HTTPS?

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

--
Thanks,
Pankaj Upadhyay

Let me rephrase my question: Firstly by secure cookie, I meant the setSecure flag. One of our customers has a site running on HTTPS. I am not sure about the business drivers for that but this site is using some CMS and divided into two broad sections - one is public site with no authentication and other is secure site with the authentication. Home page of the site comes under the public site and when browser requests for the home page, response sets a CMS session cookie and this cookie's secure flag is not set. As per the best practices, this cookie should be secure but my question was even if it is not secure and can be compromised, is there 'any other' risk associated with it in the present scenario? BTW thank you everyone. I think I have got my answers. Thanks for the replies. On Tue, Mar 22, 2011 at 11:18 AM, Christian Heinrich < christian.heinrich@cmlh.id.au> wrote: > Pankaj, > > On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay > <mr.p.upadhyay@gmail.com> wrote: > > If a site is running on https channel but the content is not confidential > > and the site uses a few cookies which are not secure and do not contain > any > > confidential/sensitive data, what is the risk associated here? As i've > read, > > cookies should be secure but i am not able to justify it to myself. Could > > anyone please help? > > If confidentiality (i.e. commercial in confidence information, > sessions cookies) is not a concern then can you clarify the business > drivers for HTTPS? > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > -- Thanks, Pankaj Upadhyay
Empathy v1.0   2024 ©Harmonylists.com