If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?
--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/
Well, if there's nothing confidential, chances are that there's no risk to data.
More precisions on what you'd like to protect against might be useful here.
--
David Rajchenbach-Teller
CSO, MLstate
On Mar 21, 2011, at 2:52 PM, Pankaj Upadhyay wrote:
If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help?
--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here?
In such a case, the primary risk, regardless of how the cookies are
flagged, is that they may be still set over HTTP (e.g., by
network-level attackers on wifi networks). Thus, any reliance on them
within the HTTPS context should be done with extreme caution.
/mz
What do you mean by "secure cookies"?
Do you mean the =secure bit?
Do you mean some other control like checksums, or cryptographic obfuscation?
In general if the cookies have no value then I wouldn't waste time on
them. However, if users log into the application, and one or more
cookie values control their authentication and authorization, then the
cookies may have value.
#1: setting the =secure bit simply prevents the browser from
transmitting the cookies over non-SSL connections on the same site
(leaking them in cleartext). If the cookies don't matter, this doesn't
matter. =secure can break the application if there are non-SSL
functions that need the cookies marked =secure.
#2 has implementation overhead, and can have performance implications.
Not worth the time if the app has no confidential data and the cookies
aren't used for anything sensitive or that has security implications
(like session).
There are probably more important things to focus on in the
application, like ensuring that there are no exposures to injection
attacks. etc.
Arian Evans
==Secure
On Mon, Mar 21, 2011 at 6:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:
If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?
--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Important things here to understand about the cookie. Cokkie generally
contains user session ID or may be some other non senstive data.But if
the session ID compromises than it will create a huge risk.
On 3/21/11, Michal Zalewski lcamtuf@coredump.cx wrote:
If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain
any
confidential/sensitive data, what is the risk associated here?
In such a case, the primary risk, regardless of how the cookies are
flagged, is that they may be still set over HTTP (e.g., by
network-level attackers on wifi networks). Thus, any reliance on them
within the HTTPS context should be done with extreme caution.
/mz
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Thanks & Regards
Robin Tiwari
Security Anlayst
Hi,
It's always a good security practice to set cookies with secure attribute when HTTPS is used. How can you confirm there is no confidential information in the cookie. It might not contain now but web app developers might include some in later stages. Always Prevention is better then Cure.
Regards,
Santhosh Kumar
From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Pankaj Upadhyay
Sent: Monday, March 21, 2011 7:23 PM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] secure cookie on a public site
If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help?
--
Thanks,
Pankaj Upadhyay
http://pupadhyay.blogspot.com/
The information in this e-mail and any attachments is confidential and may be legally privileged.
It is intended solely for the addressee or addressees. Any use or disclosure of the contents
of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful.
If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and
do not necessarily represent those of TEMENOS.
We recommend that you check this e-mail and any attachments against viruses.
TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.
Pankaj,
On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:
If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain any
confidential/sensitive data, what is the risk associated here? As i've read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?
If confidentiality (i.e. commercial in confidence information,
sessions cookies) is not a concern then can you clarify the business
drivers for HTTPS?
--
Regards,
Christian Heinrich
Let me rephrase my question:
Firstly by secure cookie, I meant the setSecure flag. One of our customers
has a site running on HTTPS. I am not sure about the business drivers for
that but this site is using some CMS and divided into two broad sections -
one is public site with no authentication and other is secure site with the
authentication. Home page of the site comes under the public site and when
browser requests for the home page, response sets a CMS session cookie and
this cookie's secure flag is not set.
As per the best practices, this cookie should be secure but my question was
even if it is not secure and can be compromised, is there 'any other' risk
associated with it in the present scenario?
BTW thank you everyone. I think I have got my answers. Thanks for the
replies.
On Tue, Mar 22, 2011 at 11:18 AM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:
Pankaj,
On Tue, Mar 22, 2011 at 12:52 AM, Pankaj Upadhyay
mr.p.upadhyay@gmail.com wrote:
If a site is running on https channel but the content is not confidential
and the site uses a few cookies which are not secure and do not contain
any
confidential/sensitive data, what is the risk associated here? As i've
read,
cookies should be secure but i am not able to justify it to myself. Could
anyone please help?
If confidentiality (i.e. commercial in confidence information,
sessions cookies) is not a concern then can you clarify the business
drivers for HTTPS?
--
Regards,
Christian Heinrich
--
Thanks,
Pankaj Upadhyay