The invaluable NoScript for Firefox plug-in just got a tad better.According to Giorgio Maone, the developer behind the popular browser extension, a new experimental feature called "Forced Secure Cookies" has been added to NoScript v1.
According to Giorgio Maone, the developer behind the popular browser extension, a new experimental feature called "Forced Secure Cookies" has been added to NoScript v188.8.131.52 to mitigate the HTTPS cookie hijacking attack vector discussed at DEFCON 16 last month.
Enabled by default, [the new feature] can be disabled either globally, by toggling the noscript.secureCookies about:config preference, or for specific domains only, by listing them (space or comma separated) in the noscript.secureCookiesException about:config preference.
Maone described the new feature as a countermeasure against Mike Perry's automated HTTPS cookie-hijacking attack (see CookieMonster tool) that's unobtrusive and non-interactive:
NoScript 184.108.40.206 just intercepts the “Set-Cookie” headers which are being sent over encrypted connections and are not flagged as “Secure” yet, adding the missing attribute on the fly before the cookie is stored.
This way, only those cookies actually created in the context of an encrypted transaction are forcibly switched to “Secure”, and therefore sites having lower security requirements and needing insecure cookies to work as a non-sensitive persistence mechanism are less likely to break.
Obviously those sites creating session-identifier cookies over insecure channels and recycling them after secure authentication won’t be helped by this implementation, but it’s apparently not the case of GMail, for instance.
However, should that prove itself to be such a common pattern to be worth protecting, a check on HTTP/HTTPS switching could be added to erase any previously set domain cookie.