Heise Security explained in more detail how it's done. Essentially if the cookie is sent via an unencrypted http connection (i.e. if a service authenticates via cookies and their server doesn't set the secure flag) - which it seems is currently the case with Facebook and Amazon as well as Google's Gmail - then the cookie can be intercepted and misused.
They helpfully point out that when Google recently added an option to Settings to always use https, mainly for the protection of Gmail / Google Mail users who often use unencrypted public wifi connections (my emphasis), "this option also causes the server to set the secure flag, exclusively restricting the Google Mail session cookie to encrypted connections."
So, bottom line: if you use GoogleMail / Gmail, you should protect your cookies and yourself by securing your Gmail properly.
How to do that? Login to Gmail, go to Settings (link at the top of the page), scroll down towards the end of the General tab, and under "Browser connection" select "Always use https" and Save Changes:
There's no downside I can think of to doing that, and it'll be much better for your security.I don't know if the same issue arises with Hotmail or Yahoo! Mail, and I don't know what the solution is for Amazon and Facebook etc - try as much as possible to avoid logging in to those sites when you're on a wireless network / WLAN (and maybe even other networks), I guess!
Tags:
No comments:
Post a Comment
Comments are moderated for spam so may not appear immediately. No need to re-post.
I'm exceptionally busy at the moment so please be patient (or chase!) if I don't reply for a while. If you need help on Blogger you're much better off posting to the Blogger Help Group.
If you're not on Blogger please click "Other" & give a nickname (you can leave out Website). Or you'll just be "Dear Anon" when I reply.