stackoom
  简体   繁体   中英

Gmail and Facebook Profile-specific HTTPS: Vulnerable?

 原文  2011-02-19 04:59:29       security/ facebook/ https

Question

I've begun to wonder about something:

Given that Gmail and Facebook use HTTPS on a per-profile basis, and that they don't use it by default, are connections to them vulnerable?

I'm not familiar at all with the protocols involved, but my reasoning goes like this: the browser needs to figure out whether or not to use HTTPS, and by default, it doesn't. That means that whenever I point my page to Facebook.com, my browser sends some piece of information (perhaps a session ID?) over an unencrypted channel to Facebook, before figuring out whether or not I've requested HTTPS. (Please correct me if I'm wrong, but I don't believe it uses a secure connection for sending this.)

Doesn't this mean that anyone could hijack the session ID in the middle of the unsecure connection? Is this a potential vulnerability?

2 answers

solution1
 3 ACCPTED  2011-02-19 05:06:52

Cookies that use the Secure flag are sent only via HTTPS. So it is possible to always redirect HTTP to HTTPS and avoid sending session cookies over HTTP before the redirection but I wouldn't count on it so I would never connect with Gmail using http://mail.google.com/ - only https://mail.google.com/

Actually I just checked and Gmail seems to set 6 cookies - only 3 of which are secure. When you visit http://mail.google.com/mail/ your browser actually sends your email address in cleartext for everyone to see before you get redirected to HTTPS.

As for the security of Facebook... I recommend watching the "How I met your girlfriend" talks by Samy Kamkar at Defcon (shorter) and at Blackhat (longer).

Update to avoid confusion in the comments: Samy Kamkar explained a method to guess the Facebook session cookie so HTTPS doesn't matter at all here. The point is that you can use HTTPS only and still be vulnerable to session hijacking.

solution2
 2  2011-02-19 05:37:34

Both of these are secure and do not expose session IDs

  1. User browses to http://www.facebook.com
  2. User types in username and password which submits to https://www.facebook.com/ ...

  3. The facebook servers have securely received the username/password from step 2, validate the user, and check the database to see if this user requests SSL only traffic. If the user has SSL only traffic selected, facebook sets the secure bit in the cookie that contains the user's session ID only allowing it to be sent over secure connections. All of the links facebook returns to that user are https:// links so each connection is encrypted.

    Nowhere in this process is the session ID exposed

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is HTTPS vulnerable to CSRF? Does facebook like button vulnerable to clickjacking? Is a POST request to an HTTPS endpoint using a NodeJS HTTP server vulnerable? Loading Facebook profile picture securely Does facebook for android use https? Securing user profile retrieve from Facebook login How to secure application specific passwords for gmail Is Spring - SpEL vulnerable? Is the MySQL password function vulnerable to this? Is Java ReDos vulnerable?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM