Tuesday, December 28, 2010

A Study of HTTPOnly and Secure Cookie Flags for the Top 1000 Websites

A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content

A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

Unique Domains Responding: 162
    Domains responding to https://www.<site>: 141
    Domains responding to https://<site>: 88

Total Cookies Gathered: 559
    Cookies from https://www.<site>: 373
    Cookies from https://<site>: 186

HTTPOnly Flag
Total unique count of cookies using secure flag: 26
    Cookies from https://www.<site>: 25
    Cookies from https://<site>:11
    Note: 10 of the 11 sites from https://<site> were duplicated within the https://www.<site> results

SECURE Flag
Total unique count of cookies using secure flag: 15
    Cookies from https://www.<site>: 15
    Cookies from https://<site>: 0

Session Cookies
Cookies containing the word "session": 91
    Total unique count of these cookies marked HTTPOnly: 12
    Total unique count of these cookies marked SECURE: 8
    Total unique count of these cookies marked SECURE & HTTPOnly: 1 (https://www.clickbank.com)

HTTPOnly & SECURE
Total number of cookies marked HTTPOnly & SECURE : 7
    6 from https://www.paypal.com
    1 from https://www.clickbank.com

Raw data can be found at the following link.

Conclusion:

I was surprised to see such low numbers. The top 1000 sites includes the most frequented sites on the web. Since the sites responded to HTTPS requests, I would have hoped that these sites would also be leveraging the additional security benefits of the HTTPOnly and SECURE flags.  It was also interesting to see that of the 91 cookies that could easily be identified as session related cookies, only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren't going to protect it with these basic cookie flags?


Notes on this test:

HTTPOnly and SECURE flags are used as an extra layer of security and are most often used with sites that support logins. It is unclear what number of the sampled sites support logins and thus would be good candidates to implement these additional controls.  Therefore the results should not be construed as a sampling of sites that should be using the HTTPOnly and SECURE flags.

When the HTTPOnly and SECURE flags are used on a website it is likely that they would be used throughout the site. Therefore if any of the sites were to use these flags I would expect them to be used on the page requested for the test. Therefore I believe the presence, or lack thereof, of the HTTPOnly and SECURE flags accurately represents the use of these flags at the tested sites.


-Michael Coates - @_mwc

6 comments:

  1. "why establish a session at all if you aren't going to protect it with these basic cookie flags?"

    I guess an answer might be that these sites established an HTTPS session only because you asked them to, but it's not something that they expect people to do. As is evident from trying out "HTTPS everywhere" ( http://www.eff.org/https-everywhere ), lots of sites will serve HTTPS, but it's just kind of "there". The content served is the same as through HTTP, which often means links to HTTP within the site and lots of mixed content warnings.

    Facebook, for example, will serve lots of their site over HTTPS if you request it with HTTPS, but all of the same content, including login pages, is also available without HTTPS. They don't promote the existence of HTTPS, and the pages served with HTTPS frequently link you back to HTTP pages. Some things just don't work HTTPS, and lots of it comes back with mixed content warnings.

    If sites like that used these headers, they would be even more broken under HTTPS than they already are. I guess it's an "anything is better than nothing" idea.

    Rather than taking the 1000 top sites and trying them with HTTPS, it might be more meaningful to find sites that actually redirect you to HTTPS when you access them with HTTP. I suspect that would drop that 162 figure down considerably, and so increase the proportion using these features.

    ReplyDelete
  2. @michaell
    "it might be more meaningful to find sites that actually redirect you to HTTPS when you access them with HTTP"

    That's a good idea. Perhaps I'll give that approach a shot and see what kind of numbers I get.

    ReplyDelete
  3. You may also want to experiment with NoScript's Automatic Secure Cookie Management, too see how many sites break if forced to upgrade cookies served over HTTPS.

    Quite an old feature, BTW :)

    ReplyDelete
  4. Are there any plans to do some evangelism based on those findings ?

    ReplyDelete
  5. One thing to keep in mind is that the cookies that you received may not necessarily be used for anything particularly important.

    Stupid example: my bank serves all internet banking from https://www.encrypt.standardbank.co.za/ rather than from their main site. Your testing would have missed that.

    Also, cookies issued on visit to the landing page may not be used for anything important. Important cookies may be issued when you access other paths (perhaps mapped through to a completely different server via a load balancer).

    ReplyDelete
  6. @ Rogan
    "Also, cookies issued on visit to the landing page may not be used for anything important. Important cookies may be issued when you access other paths (perhaps mapped through to a completely different server via a load balancer)."

    Excellent point, and in fact, best practices dictate this /should/ be the case. A session cookie instantiated when "landing" on a site should be invalidated and replaced once the user does something important, like authenticate to do banking or make a post. Thus, we counsel developers to utilize HttpOnly and Secure flags on /sensitive/ cookies, not necessarily all cookies.

    ReplyDelete

Note: Only a member of this blog may post a comment.