0

Regarding this security issue: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/

Is it true to say "any time a user logs into a site, and isn't redirected to SSL/TLS/HTTPS connection, that the session cookies are vulnerable"?

What is the best solution to protect a Facebook credentials, and how does it work?

Is there any way to have a secure session and not have SSL/TLS? In other words, is there any way to make it so that cookies on one machine can't be replayed on another?

The reason the last question is important is because Google AdSense does not support SSL/TLS and therefore will force the designer to expose all cookies. This will in turn affect every site that relies on AdSense

Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
  • you 100% need SSL/TLS. This is apart of owasp a9. Also i'm 100% sure that adsense supports ssl/tls because i'm using it on my site. – rook Oct 26 '10 at 16:51
  • possible duplicate of [Is HTTPS the only defense against Session Hijacking in an open network?](http://stackoverflow.com/questions/4017344/is-https-the-only-defense-against-session-hijacking-in-an-open-network) – rook Oct 26 '10 at 16:51
  • @Rook - I checked 4 months ago and Adsense didn't support this... it was even part of a FAQ. is this new? – makerofthings7 Oct 26 '10 at 16:52

3 Answers3

3

The problem is the cookies and send in clear on the network if you don't have SSL/TLS.

Anyone listening to the TCP/IP traffic can read unencrypted data and can read you cookies.

When you have them you can copy it on your own computer and it will work...

You need SSL/TLS !

Loïc Février
  • 7,540
  • 8
  • 39
  • 51
0

When you are transmitting data in the open (unencrypted) there is NO WAY to protect your information, especially not using a cookie which is a well-known and widely used protocol for storing insensitive user information. You may try tricks and hacks to assert that only the person to whom the cookie was issued is the one who can use it, but that is not what cookies were designed for. COOKIES ARE NOT A SECURITY FEATURE!

If you want privacy, use encryption. It's as simple as that. SSL certs are cheap (as low as $10 per year). If security and privacy are a requirement, there is no excuse not to use SSL.

jathanism
  • 33,067
  • 9
  • 68
  • 86
-3

For your own sites, you can design cookies to be more secure: http://jaspan.com/improved_persistent_login_cookie_best_practice

But because Facebook hasn't done this, the only option if to use SSL.

Robert
  • 2,341
  • 18
  • 11
  • True, it doesn't completely prevent sniffing but it makes it much less valuable to an attacker and makes it easier to detect. Or am I misunderstanding the article? – Robert Oct 27 '10 at 15:14