Side Jacking : When websites use HTTP I can passively monitor network traffic and see your cookies. That's just BretardedSurf Jacking: If developers designed an SSL site poorly, by a HIJACKING A LOWER NETWORK LAYER I can actively force your browser to reveal its cookies, even if your are using SSL. Pretty cool, but limited. So there is a design flaw in HTTP state management that some folks might not know about: Developers, not the protocol, make the decision about whether cookies should be served over both secure and insecure connections. And as we know developers typically choose poorly when it comes to security. Crux of paper: If I hijack a lower network layer I inject HTTP responses to non-SSL requests that force the browser to send its cookies for a site over a non-SSL connection, where anyone (read me) monitoring the traffic can see the session ID. And thats the problem. If you can hijack network sessions HTTP cookie theft is a fairly tame thing to do. For example, just MITM a victim when they first try to connect to the secure site. 99.5% of users ignore broken SSL certs anyway. And this works against site's with rotating session ids where surf jacking would not. In short, nifty trick, but high barriers that, if passable, let you do way worse things then what this paper describes. Surf Jacking |