Secure Logons vs. Secure Sessions

Question

The following was copied/pasted from an article that discussed the [in]security of so-called "secure" websites. Due to other content in that article, I have opted not to include a link to it. In short, what it's saying: Secure Logins are NOT enough... be sure that the site you're accessing maintains secure mode throughout your entire session there.

"Well-meaning websites use secure http, or https, at least during the login stage. This is vital, since it protects the username and password you submit. Once you have logged in, the site sets a browser session cookie which is unique to your login session...

But many websites take the easy way out once your session cookie it set, reverting to regular, unencrypted http for the rest of your session. After all, your username and password are not needed again, so the need for encryption has passed. Right?

Wrong.

Reverting to insecure traffic brings its own intractable security problem. It exposes all of the rest of your session to interception, including the session cookie, which is transmitted in the headers of every http request to the site".

ky331 · Answer

BB,

To credit the article's author, it's Paul Ducklin

if you [or anyone else] wish to cite/include the link here, that's your call. Given some of the contents ["You can debate the morality of (John Doe's) open publication and promotion of his session-hijacking software"], I'm sure you can understand my reluctance to do so...

Bugbatter · Answer

ky331, I can identify that article because I read it earlier today, but if we do not give the source, that may not be fair to the author. However, it can be easily found by using Google.

Bugbatter · Answer

Yes, ky331. I think the author's name is sufficient.  :emotion-2: On the other hand, it's all over Twitter today, so we're not accomplishing much by not including the link.

Virus & Spyware

Secure Logons vs. Secure Sessions

Was this post helpful?