I see facebook sends cookies over http. How are they secure from hijacking? If I were to copy the cookie onto another computer would I be logged in?
You've just described Session Hijacking, and it is a real security issue. It can be avoided in a number of ways. The simplest way to secure the cookies, though, is to ensure they're encrypted over the wire by using HTTPS rather than HTTP.
Cookies sent over HTTP (port 80) are not secure as the HTTP protocol is not encrypted.
Cookies sent over HTTPS (port 443) are secure as HTTPS is encrypted.
So, if Facebook sends/receives cookies via HTTP, they can be stolen and used nefariously.
Cookies sent over HTTP are unsecure, those sent over HTTPS are a bit more secure than HTTP, however they can still be stolen since there are a few methods discovered lately to hack SSL. A complete writeup on session hijacking and all of the session hijacking attacks can be found here: http://cleverlogic.net/tutorials/session-hijacking-0. There is also a bit on preventing Session Hijacking.
Related
My question is If I am hosting my website in HTTPS connection then could the cookie still be potentially stolen by an attacker to perform man in the middle attack?
In an HTTP connection, the attacker might intercept the cookie and can hijack a victim's session. So if the attacker can carry out a man in the middle attack, he can force the victim to make an http request and steal the cookie.
So does this risk is still there in the HTTPS connection? Or how can I make it more secure so that the attacker cannot steal the cookie?
The answer is YES.
Not sure if I am explaining this well enough.
But take a look at : https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
On an extra note:-
The cookie will reside on the user end and HTTPS just specifies that the connection that will be used between the two ends will be encrypted and an SSL certificate is used.
SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. An SSL certificate is a data file hosted in a website's origin server. SSL certificates make SSL/TLS encryption possible, and they contain the website's public key and the website's identity, along with related information.
Or how can I make it more secure so that the attacker cannot steal the
cookie?
You must declare that on web.config using the requireSSL to force cookie only on secure connections
<httpCookies domain="domain.com" requireSSL="true"/>
more to read : Can some hacker steal a web browser cookie from a user and login with that name on a web site?
From what I understand, if a user uses plain HTTP without TLS encryption layer then anyone listening "on the wire" can see the user's session cookie and steal it. So does this mean that it is impossible to guard against session hijacking if the website does not implement HTTP over TLS? Does it mean all websites before https could not guard against session hijacking?
The scenario might look like this.
1. A good guy logs into their account
GET / HTTP/1.1
Host: onlinecommunity.com
Cookie: PHPSESSID=f5avra_=AKMEHO_ga=GA1.2.93f54422f2ac010
2. A bad guy listening "on the wire" sees the plain HTTP request
3. A bad guy sends the same request
GET / HTTP/1.1
Host: onlinecommunity.com
Cookie: PHPSESSID=f5avra_=AKMEHO_ga=GA1.2.93f54422f2ac010
4. Now the bad guy sees the good guy's profile!
How did people prevent SESSION hijacking before HTTPS?
I think I found the answer (in part) to my own question, so I'll share it here for others.
If the website doesn't use encryption then you can use a VPN to encrypt the requests, this way the session cookie will be hidden (encrypted)
You can re-create the session cookie with every request. Although from what I read this can be difficult to implement.
You can check against other header fields and compare them to the last request. If they are too different then you can block access.
You can check against the IP address. But since the person might be on mobile network the IP can change for legitimate reasons so you can at least to check against an IP range to make sure it's coming from the same country as the last request.
I suppose in general, if the website uses plain text HTTP without encryption, you can also steal their username and password by listening on the wire. So you should at least use a VPN (VPNs encrypt all data). I guess - never use plain text HTTP requests for any sensitive information.
Feel free to add or correct me.
I have web server IIS, where I have direct access to page like (page.com), so thats the reason why I have allowed HTTP (port 80) and then I am using HTTPS (port 443).
When user enters the page on port 80 (page.com), he will be redirected to HTTPS (443). So my web server uses HSTS with long max-age parameter (defense against ssl strip).
Is my page secure with HSTS header this way? If not, what should I do?
Thanks a lot!
As always, the question is secure against what? Secure against ssl strip after the first response with HSTS (and before it expires)? Yes. Secure against ssl strip on the very first request (or the first after HSTS expired)? No. Secure against a range of different attacks? Not necessarily (dns hijack on the first request, corporate ssl inspection, rogue root cert in clients, malware... the list is endless).
Could you make it more secure? Yes, by disabling plain http altogether. Would that make sense in your scenario? Only you can tell.
What makes https more secure than http?
The short answer is that https communication between your browser and the server are encrypted. While http traffic is sent in plain text. This means that anyone who can listen to the traffic can read it - this would include usernames and passwords). It also verifies the server to which you are connecting.
That it is encrypted. Read: en.wikipedia.org/wiki/HTTP_Secure
Anything not over HTTPS can be read by anyone snooping on your network.
Im quoting:
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.
More information on TLS:
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
Also, HTTPS verifies that the site is who it claims to be, if the certificates are correct (signed by a known CA).
All traffic is encrypted. No one on your network can see what is going on (except for knowing where those packets are going to).
The identity of the remote server can be verified using certificates. So you also know that it really is your bank that you are talking to.
Optionally (and not in wide-spread use), the identity of the client can also be verified using certificates. This would allow for secure login to a site using chip cards instead of (or in addition to) passwords.
I want to be really pedantic, as I'm a security nerd :)
HTTPS uses SSL, and it's IETF-ratified cousin, TLS. SSL/TLS can offer four security services:
1) server authentication
2) channel encryption
3) channel tamper detection
4) client authentication
Usually you'll get server auth for free, but only if the host name and the common name in the server's SSL/TLS certificate match. If they don't match your browser will warn you. You usually get the channel defenses for free too, but that's only because the server and client negotiate to require such defenses. In theory, but rarely in practice, a server and client could agree to not use one or more of the channel defenses.
Finally, client authentication is when the server wants you to present a certificate (actually, to prove you have an associated private key) to verify you are you. Client authentication is rarely used.
Can cookies set using HTTP be read using HTTPS?
Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.
In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.
HTTP: Cookie with "Secure" will be returned only on HTTPS connections (pointless to do, see note below)
HTTPS: Cookie with "Secure" will be returned only on HTTPS connections
HTTP: Cookie without "Secure" will be returned on HTTP or HTTPS connections
HTTPS: Cookie without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)
Reference: RFC 2109
See 4.2.2 (page 4), 4.3.1
Note: It is no longer possible to set "secure" cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.