How do login sessions work while on Tor, since Tor browser disables cookies? Always has confused me how the site can differentiate users.
I know there are additional ways other than cookies, but still none the wiser how they work while on Tor.
Actually Tor Browser forces cookies to be discarded at the end of the browsing session. Cookies are small pieces of data that websites use to keep notes on who you are. They are commonly used as a login token, or as an identifier for adveritsment companies to track you across multiple sites. By discarding all cookies when you start a new browsing session, these cannot be used to track you across sites.Tor Browser disables the Flash plugin, which has its own form of persistent storage. As Flash applets auto-load on most systems, this again prevents a method of tracking you across sessions.A similar story applies for HTML5 storage capability. Websites can store data on your machine with the use of HTML5. This data can be much larger and more varied than cookies, and is technically distinct; but the risks in terms of being used as a tracking mechanism are the same.
The first part answers the question: "Actually Tor Browser forces cookies to be discarded at the end of the browsing session." So cookies are used like any normal website until you finish the session, then they are deleted.
Actually Tor Browser forces cookies to be discarded at the end of the browsing session. Cookies are small pieces of data that websites use to keep notes on who you are. They are commonly used as a login token, or as an identifier for adveritsment companies to track you across multiple sites. By discarding all cookies when you start a new browsing session, these cannot be used to track you across sites.Tor Browser disables the Flash plugin, which has its own form of persistent storage. As Flash applets auto-load on most systems, this again prevents a method of tracking you across sessions.A similar story applies for HTML5 storage capability. Websites can store data on your machine with the use of HTML5. This data can be much larger and more varied than cookies, and is technically distinct; but the risks in terms of being used as a tracking mechanism are the same.
Related
Given a third-party webpage www.somepage.com handing out specific URLs to subscribed websites in the format of www.somepage.com/site/3ir3jsd - how can I track that a user having an account on www.somepage.com has visited one of the subscribed websites without resorting to cookies / localStorage ?
A standard approach would be to store a cookie for www.somepage.com and add www.somepage.com/site/3ir3jsd via an IFrame. This has several issues as new laws and browser defaults prohibit third-party cookies and local storage to be loaded.
Is there some other mean to achieve this? I see that this is a potential privacy issue and would of course ask for permission to do this and would prefer secure / non-privacy-infringing methods. All major browsers have to be supported which rules out browser extensions too (looking at you Internet Explorer 9-11). Maybe JavaScript? But I don't want the user to have to "login" to my pages service on every subscribed webpage. Storing their session cookie in the first-parties localStorage / cookie is a potential security risk though (which would be needed when using JavaScript + storing their session data).
Another approach I have checked is client certificates but they are poorly supported (read: often unsupported) by mobile browsers and the use-ability of adding them is horribly in most of them too.
On every website I visit I get a pop up that it use cookies and accept their cookie policy.
While in modern browsers we have localStorage, sessionStorage, indexDB and other that I might not be aware of.
So what are the specific reasons to use it while there are a number of reasons which leads to security threats due to use of cookies.
Because cookies can be used in (for example) PHP, while the localStorage and so on is only usable within the client environment.
So the new technologies are fine within any client-based application, but are not very useable in PHP or any server sided application.
I did a small sample test and found that almost all web sites I tested suffer from the vulnerability where I can access restricted pages (ie pages that require logging in) even after I have logged out from the browser if I save the cookies while I am still logged on.
The test was fairly simple. I just replayed a web request in Fiddler after I had logged out from the browser. For example, with outlook.com, after logging out, I could replay the page that shows the address book and still get my contacts' email addresses.
May I know what the industry standard is regarding this as I have one customer who insists on fixing this vulnerability but not wanting to increase the hardware specs.
I'm not sure if there's an industry standard, but there are best practices. And the best practice is to clean the cookies, and cookie management.
You shouldn't have to worry about hardware on this either. It's a simple lookup to see if a value is valid. If it isn't, then the session state shouldn't get resurrected.
Again, I would use HttpOnly and a secure flag on the cookie. That way, it will limit replay attacks more. And when it comes to resurrecting sessions, make sure that session files are destroyed on the server, not just abandoned.
Abandoned sessions mean they can potentially be resurrected.
Hardware will generally not be an issue with this problem. If it is, then look at your solution, as there might be a better way.
I several classic ASP websites that use session state for maintaining login state and user preferences. The code doesnt read or write to any cookies, it just uses "session" variables which rely on the default ASPSESSION cookie SET by IIS.
As no data is actually written / read to the cookie in ASP code (only IIS reading the cookie and linking the user to a session ID) - I would interpret this usage of cookies as having no privacy impact / being "privacy neutral", so I would not need to inform the user of the use of cookies.
Link to ICO Guidlines
You should analyse which cookies are strictly necessary and might not need consent.
and more:
It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other.
However, I am not a lawyer.
So, I guess I am asking:
1) Is your interpretation of this usage of cookies in agreement with my view that these are "Privacy Netural" cookies, and wont require consent?
2) What situation have you faced with your use of cookies, and what changes you made to comply? (eg, popups, expaned T&C's etc)
3) Any other thoughts?
Thanks again,
Williard
What methodologies do people recommend for mitigating the 'Firesheep' method for website applications?
We have thought about this and from a usability perspective, other than encrypting all traffic to a site, mitigating the attack can be somewhat of a problem for web developers.
One suggestion we came up with was to use path based cookies, and encrypt traffic for a specific path where account operations or personalised interaction happens. This however complicates usability however, in as much as the rest of the site (the un-encrypted - un-authenticated) bit does not know who the user would be.
Does anyone have any other suggestions for mitigating this vector of attack, while maintaining a usable level of usability?
Firesheep is nothing new. Session hijacking has been going on for more than two decades. You don't need "encrypt" your cookie, thats handled by your transport layer. Cookies must always be a cryptographic nonce.
Usually hackers just set their own cookie by typing this into the address bar javascript:document.cookie='SOME_COOKIE', FireSheep is for script kiddies that fear 1 line of JavaScript. But it really doesn't make this attack any easier to perform.
Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is apart of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.
1)Use httponly cookies. (Makes it so JavaScript cannot access document.cookie, but you can still do session riding with xss)
2)Use "secure cookies" (Horrible name, but its a flag that forces the browser to make the cookie HTTPS only.)
3)Scan your web application for xss using Sitewatch(free) or wapiti (open source)
Also don't forget about CSRF! (Which firesheep doesn't address)
Well I found an interesting article on GitHub that describes a method of mitigating the firesheep attack.
https://github.com/blog/737-sidejack-prevention
Anybody tried taking advantage of the "Web Storage" in HTML 5 to store a shared key (passed during SSL-encrypted responses during authentication) that is used by javascript to alter the session cookie over time?
That way, the stolen (unencrypted) session cookies would only be valid for a short amount of time.
My guess is that Web Storage is segmented by port (in addition to host), so it wouldn't be possible. Just throwing that idea out there in case anybody wants to run with it.
When user logs-in, store the IP-address in the session.
On each subsequent request from this session, check that the IP-address matches the one stored in the session.