Submission + - The CookieMonster Demands Satisfaction (fscked.org)
mikepery writes: "------ Begin Cut Here —
Note to slashdot editors: Hey guys, I was wondering if you could help me out a bit to correct for the fairly inaccurate article you featured about my HTTPS hijacking work being a Gmail-specific attack tool. I want to make sure the record is set straight, and people realize that a lot more sites are potentially affected than just Gmail, so that they can ensure they are fixed properly.
------------ End Cut Here —
I figure the slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put "CookieMonster" in the subject, without a space.
I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."
Note to slashdot editors: Hey guys, I was wondering if you could help me out a bit to correct for the fairly inaccurate article you featured about my HTTPS hijacking work being a Gmail-specific attack tool. I want to make sure the record is set straight, and people realize that a lot more sites are potentially affected than just Gmail, so that they can ensure they are fixed properly.
------------ End Cut Here —
I figure the slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put "CookieMonster" in the subject, without a space.
I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."
