« Phishers Use DNS Tricks to Direct Users to Bad Sites
What are Shared SSL Certificates »

SSL-encrypted Gmail not safe to ’sidejacking’ attacks, says researcher

Robert Graham, CEO of Errata Security, who last year found that it’s possible to capture someone’s session cookie via wireless eavesdropping, now says that even encrypted services such as Google’s Gmail can sometimes provide him with a session cookie. This is a departure from his advice last August when he said SSL HTTPS sessions of Gmail should be immune.

Graham, working with David Maynor, created two tools (Ferret and Hamster), which together help him grab session cookies out of thin air, say, at a local hot spot, like an Internet cafe. Session cookies allow you to shop at an e-commerce site, then leave the page and return later without re-entering your password. One doesn’t have to decode the user’s password to exploit the session cookie, merely possess it.

Read more here …

This entry was posted on Thursday, January 31st, 2008 at 11:40 pm and is filed under SSL Industry News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply