1154681
submission
+- The CookieMonster Demands Satisfaction-> on Tuesday September 09 2008, @07:58AM mikepery
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
mikepery writes "------ Begin Cut Here —
Note to slashdot editors: Hey guys, I was wondering if you could help me out a bit to correct for the fairly inaccurate article you featured about my HTTPS hijacking work being a Gmail-specific attack tool. I want to make sure the record is set straight, and people realize that a lot more sites are potentially affected than just Gmail, so that they can ensure they are fixed properly.
------------ End Cut Here —
I figure the slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put "CookieMonster" in the subject, without a space.
I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."
Link to Original Source
Note to slashdot editors: Hey guys, I was wondering if you could help me out a bit to correct for the fairly inaccurate article you featured about my HTTPS hijacking work being a Gmail-specific attack tool. I want to make sure the record is set straight, and people realize that a lot more sites are potentially affected than just Gmail, so that they can ensure they are fixed properly.
------------ End Cut Here —
I figure the slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put "CookieMonster" in the subject, without a space.
I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."
Link to Original Source
I prefer rogues to imbeciles because they sometimes take a rest.
-- Alexandre Dumas, fils
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
The CookieMonster Demands Satisfaction 0 Comments More Login /
Get More Comments