I've now read the Paper "sec15-paper-zheng-updated.pdf", the 2015-08-13 version, from
https://www.usenix.org/conference/useni ... tion/zheng
Some comments:
* this is a peer reviewed paper, some references were last checked (by the authors) in February 2015,
some issues have been documented since 2002. So the underlying issues have been present, and poorly
understood, for a long time.
* I'm no expert (in this area) but I did find the paper very interesting.
To whet your appetite:
" ... For example, a cautious user might only visit news websites at open wireless networks like those at
Starbucks. She might not know that this is sufficient for a temporary MITM attacker to inject malicious cookies
to poison her browser, and compromise her bank account when she later logs on to her bank site at home.
We aim to understand how could attackers launch cookie inject attacks, and what are the damaging consequences
to real-world websites. Our study shows that most websites are potentially susceptible to cookie injection
attacks by network attackers. For example, only one site in the Alexa top 100 websites has fully deployed HTTP
Strict Transport Security (HSTS) on its top-level domain, a sufficient server-side protection to counter cookie
injection attacks by network attackers (Section 3). ... ..."
They did manage to compromise several e-commerce sites.
Back to the OP's question
yes_noscript wrote:
I wonder if NoScript protect us against that?
The use of the NoScript,
Options, Advanced, HTTPS, "Enable Automatic Secure Cookies Management"
might help in some cases.
Rephrasing the question:
Will NoScript's "Automatic Secure Cookies Management" defeat all the
vulnerabilities mentioned in the paper?
I don't think so. I certainly would not
assume so.
What might defeat many of these attacks is to use Firefox JUST to do one
important thing (e.g. webmail) and then close Firefox, discarding all the cookies.
I advocate and use 'specific Firefox Profiles for specific uses / sites'.
Examples include a Profile 'just used for Bank' and a separate one 'just for webmail'
and a third one 'just for making online purchases' (general looking at 'things to buy'
is done in yet another Profile).
All my Profiles have NoScript (NS) to block Javascript (and other active content) and
RequestPolicy Continued (RPC) to block all outgoing requests from the 'site I appear to be on',
as seen in the 'URL bar', to other sites.
These 'other sites' might be to Content Delivery Networks (CDNs)
but they might be to Advertising Networks.
RPC is controlling 'all outgoing Requests', which might 'collect an image', 'collect a script',
'collect an advert' etc
FROM the 'site you appear to be on' TO another domain.
All Profiles, where I do ANY 'logging in', are set to clear all
Cookies, Active Logins, Cache, Forms & Search History,
Site Preferences and Offline Web Site Data when you close Firefox.
Most of these Profiles also clear Browsing & Download History as well.
See
Using Release, ESR, Beta, Aurora, and/or Nightly together.
http://forums.mozillazine.org/viewtopic ... &t=2821799
for a good source of ideas of how to use many Profiles.
Another piece of serendipity FYI, (please don't comment in the bugzilla bug)
Richard Barnes has added a telemetry probe to Nightly (Fx 44).
Add telemetry to measure how often secure cookies are set from non-secure origins
https://bugzilla.mozilla.org/show_bug.cgi?id=1208847
Richard Barnes wrote:
Some recent research highlights risks that arise from non-secure origins being able to set secure cookies.
https://www.usenix.org/system/files/con ... pdated.pdf
As a prelude to making any changes to cookie handling rules, we should add a telemetry probe to see how often
this happens in practice. (For completeness, though, let's measure the whole matrix of cookie/origin
secure/nonsecure.)
DJ-Leith