Comments on: Even Forced SSL is broken for Facebook Google Twitter http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/?utm_source=rss&utm_medium=rss&utm_campaign=even-forced-ssl-is-broken-for-facebook-google-twitter Pro-Culture, Pro-Commerce Mon, 14 Jan 2013 10:54:13 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: בשעה טובה Facebook over SSL. | הבלוג של iTK98 http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-20034 בשעה טובה Facebook over SSL. | הבלוג של iTK98 Wed, 26 Jan 2011 21:02:09 +0000 http://www.digitalsociety.org/?p=7566#comment-20034 [...] Society: 1 [...]

]]> By: Online services security report card « Rogerio Aristides http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17259 Online services security report card « Rogerio Aristides Sun, 07 Nov 2010 14:10:50 +0000 http://www.digitalsociety.org/?p=7566#comment-17259 [...] been offering incorrect advice to just use force the website to run SSL, but my testing shows that sidejacking is still possible even when the site runs SSL.  Some people have suggested tools that go as far as rewriting the website’s javascript but [...]

]]> By: SiliconANGLE — Blog — Microsoft promises fix to Hotmail security this month http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17176 SiliconANGLE — Blog — Microsoft promises fix to Hotmail security this month Thu, 04 Nov 2010 19:41:04 +0000 http://www.digitalsociety.org/?p=7566#comment-17176 [...] Sites like Facebook that allow you to manually force an SSL connection for everything are still susceptible to cookie theft while sites like Ebay which doesn’t support full time SSL browsing aren’t susceptible.  [...]

]]> By: Digital Society » Blog Archive » Microsoft promises fix to Hotmail security this month http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17142 Digital Society » Blog Archive » Microsoft promises fix to Hotmail security this month Wed, 03 Nov 2010 23:13:32 +0000 http://www.digitalsociety.org/?p=7566#comment-17142 [...] [...]

]]> By: SiliconANGLE — Blog — Online services security report card http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17099 SiliconANGLE — Blog — Online services security report card Tue, 02 Nov 2010 15:01:28 +0000 http://www.digitalsociety.org/?p=7566#comment-17099 [...] been offering incorrect advice to just use force the website to run SSL, but my testing shows that sidejacking is still possible even when the site runs SSL.  Some people have suggested tools that go as far as rewriting the website’s javascript but [...]

]]> By: Digital Society » Blog Archive » Online services security report card http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17084 Digital Society » Blog Archive » Online services security report card Tue, 02 Nov 2010 02:44:17 +0000 http://www.digitalsociety.org/?p=7566#comment-17084 [...] [...]

]]> By: Giorgio Maone http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17053 Giorgio Maone Sun, 31 Oct 2010 14:53:59 +0000 http://www.digitalsociety.org/?p=7566#comment-17053 NoScript’s “Force HTTPS” feature covers all the request and the subrequests to the forced domains (no matter if images, scripts, stylesheets or anything else), hence you’re fully covered against this kind of attacks.

]]> By: Firesheep och tillit | Intensifier http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17029 Firesheep och tillit | Intensifier Sat, 30 Oct 2010 13:20:04 +0000 http://www.digitalsociety.org/?p=7566#comment-17029 [...] sida. Inte ens olika sätt att tvinga fram SSL (alltså HTTPS i det här fallet) hjälper eftersom javascript läcker okrypterad information. Min skepsis inför plugins som HTTPS everywhere inslaget i Radio Metropol besannades alltså. Det [...]

]]> By: Rajandran R http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17024 Rajandran R Sat, 30 Oct 2010 09:45:57 +0000 http://www.digitalsociety.org/?p=7566#comment-17024 Thanks a lot for the huge information about the Forced SSL in Chrome browser.
Its time for Browser Developers need to take a big step on this issue. Better one should stay away from Public Wi-Fi spot until we get a clearcut solution

]]> By: Nik Cubrilovic http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/comment-page-1/#comment-17023 Nik Cubrilovic Sat, 30 Oct 2010 08:32:35 +0000 http://www.digitalsociety.org/?p=7566#comment-17023 George – My (recently renamed) extension Fidelio takes care of what you describe in your first paragraph. It will:

* rewrite your cookies (as they are set) so that the secure flag is on (ie. they will only ever be sent back over an https connection)

* will rewrite main requests to https

* capture all doc loads, be it an image, javascript or xmlhttprequest, and either rewrite them to https or drop the request entirely

between these features, your cookies will never be sent in the clear. you can get it here:

http://github.com/nikcub/fidelio

]]>