US CERT warns of insecure cookies

US CERT has warned users of a security problem that mostly affects insecure networks, such as WLAN hotspots, and may allow attackers to gain complete control of their victims' accounts. This is not a new or unknown problem; obviously, CERT wants to raise users' awareness in view of recently published tools such as Ferret, which was presented at the last Blackhat Conference and collects information such as session cookies from wireless networks.

While many services, such as Google Mail, offer encrypted authentication, which makes it impossible for eavesdroppers in the network to spy out user access data, and passwords in particular, often no encryption is provided for the actual access to the service due to performance and cost considerations. To assign subsequent access of the web browser to a session, the web site sets a session cookie during log-in, that the browser sends to the server with every page request on that web site. heise Security - News - US-CERT warns of insecure cookies

Linked by shanmuga Wednesday, 12th September 2007 1:04AM