Explore the critical security vulnerabilities associated with HTTP cookie hijacking in this IEEE Symposium presentation. Delve into the widespread privacy implications of partially deployed HTTPS, uncovering how service personalization can inadvertently expose sensitive user information. Examine real-world examples from major websites, including Google, Bing, Yahoo, Amazon, and eBay, revealing the extent of data leakage. Investigate the impact on mobile apps, browser security mechanisms, and ad networks. Learn about the potential for deanonymizing Tor users through these attacks. Analyze the results of a 30-day network measurement study detecting over 282,000 vulnerable accounts. Evaluate current countermeasures, including HSTS and HTTPS Everywhere, and understand their limitations in fully protecting user privacy.
The Cracked Cookie Jar - HTTP Cookie Hijacking and the Exposure of Private Information
Overview
Syllabus
Intro
HTTP Cookie Hijacking
Move to HTTPS
Oh, you thought it was encrypted?
Real world privacy leakage
E-commerce
Large-scale cookie exposure
Attack Implications: Tor Network
Current countermeasures
HSTS
HTTPS Everywhere
Conclusion
Taught by
IEEE Symposium on Security and Privacy
