security - Gmail and Facebook Profile-specific HTTPS: Vulnerable? -


i've begun wonder something:

given gmail , facebook use https on per-profile basis, , don't use default, connections them vulnerable?

i'm not familiar @ protocols involved, reasoning goes this: browser needs figure out whether or not use https, , default, doesn't. means whenever point page facebook.com, browser sends piece of information (perhaps session id?) on unencrypted channel facebook, before figuring out whether or not i've requested https. (please correct me if i'm wrong, don't believe uses secure connection sending this.)

doesn't mean hijack session id in middle of unsecure connection? potential vulnerability?

cookies use secure flag sent via https. possible redirect http https , avoid sending session cookies on http before redirection wouldn't count on never connect gmail using http://mail.google.com/ - https://mail.google.com/

actually checked , gmail seems set 6 cookies - 3 of secure. when visit http://mail.google.com/mail/ browser sends email address in cleartext see before redirected https.

as security of facebook... recommend watching "how met girlfriend" talks samy kamkar at defcon (shorter) , at blackhat (longer).

update avoid confusion in comments: samy kamkar explained method guess facebook session cookie https doesn't matter @ here. point can use https , still vulnerable session hijacking.


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more