Even Forced SSL is broken for Facebook Google Twitter
There’s been a lot of constructive attention on Firesheep this week, which is a simple tool that lets anyone hijack other people’s web accounts with absolutely no skill required. A lot of people are offering the suggestion that running their Firefox or Chrome web browser in forced SSL HTTPS mode, but I cautioned people that this isn’t that simple because many websites don’t fully support SSL. But it’s even worse than this because even if a site supports SSL, it will frequently contain links that redirect to non-SSL portions of the site. And even if all the links are rewritten to direct to an SSL page, there may be javascript code within the page that transmits authentication cookies in clear non-SSL HTTP mode.
This is precisely what happened to Google in 2008 when it was revealed that even full SSL mode for GMail would leak the cookie information that will allow someone to “sidejack” a GMail account. Facebook seems to have recently added support for full HTTPS SSL mode but there are many links that drop back to HTTP even if you run extensions designed to force Facebook to run SSL mode. But even running these force SSL extensions, the links within Facebook will still temporarily redirect to HTTP and then bounce to HTTPS. Even when I manually type HTTPS and never see an HTTP session, Facebook is still leaking the authentication cookies that allow Firesheep to sidejack the session based on my testing.
The same problem affects Twitter even when I manually type in https://twitter.com. Twitter will remain in https mode no matter what part of the site I click, but it will still leak authentication cookies to sidejacking tools like Firesheep. The effect is that anyone can still go into my Twitter account and post any embarrassing message they want. Even https://Google.com leaks my account so that people can see where I searched and where I live on maps.google.com. For that matter, just firing up the Chome browser without launching a single page will leak my Google account! Thanks a lot for caring about our privacy guys.
The force SSL mode also seems to be nearly useless in Google Chrome because it’s so stingy about what it will force into SSL. If it’s the first time you’ve visited the site or there are some additional non-sensitive image icons being loaded from some other non-SSL site, it will not force the site to go SSL.
Conclusion? Browser makers and website operators have a long way to go to secure people’s accounts and identities on the Internet.
[Cross-posted at Digital Society]
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
