Note that “WordPress” refers to all the independent implementations of WordPress, but the WordPress.com free hosting site does implement SSL. The bottom portion of the table refers to generic protocols that are commonly used by computers and smartphones, the vast majority of which use the unsafe versions.
What are authentication cookies?
To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server. When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.
SSL authentication
When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign. Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA. Some sites still use SSL encryption to transmit authentication data but don’t bother to use HTTPS and they are of the false conception that this is safe, but that’s not good enough because the user has no way of knowing if they’re visiting the wrong site or not.
Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website. This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal. But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.
I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later. Unfortunately, websites like Twitter and Facebook still haven’t learned.
SSL browsing support
When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing. If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.
A website that does not support SSL browsing will not necessarily leak user authentication cookies since that’s a function of how careful the website developers are about their javascripts. Ebay is a good example of this where no cookies are leaked even though Ebay users browse without SSL.
Partial sidejacking
A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account. For example, Google.com allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address). The same problem affects Yahoo but the attacker can’t access things like email.
Full sidejacking
A full sidejacking happens when the attacker can gain access to everything short of the username and password. On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim. The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.
On Microsoft Hotmail, the attacker can see every email received and sent and send messages on behalf of the victim. This potentially allows the attacker to reset other user accounts that are registered to a hotmail account. Full sidejacking on an email account is very dangerous and it is surprising that Microsoft hasn’t fixed this yet. Even if they only encrypted the authentication cookies using javascript and didn’t support full SSL mode, that would vastly improve security. Google dragged their feet on Gmail for a year after sidejacking was widely reported in 2007 but they deserve credit for being one of the first to fix this problem and they’ve recently defaulted everyone to full SSL for Gmail.
Full hijacking
This is where an attacker gains access to the user’s username and password. At this point, the attacker can do anything they want with the user’s data and account. It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable. The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“. Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.
출처 : www.digitalsociety.org
댓글