[cryptography] a little help with cookies please

grarpamp grarpamp at gmail.com
Thu Sep 17 00:39:10 EDT 2015


What is of more crypto / security interest is not bandwidth use
or even domain or path restrictions, but failure of webdevs to
seed and restrict sensitive cookies (like your authenticated
session id's) from and to TLS only sessions.
Well known top100 sites that still have a legacy http mode
fail to do this properly... banks, social, govt, etc.
Even sites that immediately 302 your first hit (or other hits)
over to https thereafter can be found doing it wrong.
Ripe for wifi or wire monitoring based session stealing.


More information about the cryptography mailing list