Monday, August 11, 2008

SurfJacking: HTTPS will not save you, but "secure" will

There is a lot of talk out there about a new tool for "SurfJacking". The basic premise is that an attacker can compromise your session even if you are using SSL. This sounds scary, and it is bad. If you get lazy about reading papers, as I sometimes do, here is the primary fix. Use the "secure" flag for your cookies.

What is the secure flag?
a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping. - OWASP

Don't get hung up on the "critical for the integrity part". If you went to the effort to create a cookie for the user, its probably important. Go ahead and set the secure flag.

Haven't heard of SurfJacking? Look here
New Tool to Automate Cookie Stealing from Gmail, Others. Washing Post
SurfJacking.pdf from

Since we are setting flags, go ahead and also set the httpOnly flag. This is unrelated to the above issue, but its a good move and will help prevent against XSS cookie theft.

-Michael Coates