Comments on: NoScript vs Insecure Cookies

By: hackademix.net » You Don't Know What My Twitter Leaks

hackademix.net » You Don't Know What My Twitter Leaks — Mon, 12 Jan 2009 22:10:16 +0000

[…] to your HTTPS behavior forced list and enabling automatic secure cookies management, to defeat cookie hijacking […]

By: Giorgio

Giorgio — Thu, 27 Nov 2008 21:29:09 +0000

@Keybounce:
account info (not service authorization!) is on cookie belonging to www.google.com. This means that you can leak your user id token, but not your authorization token.
BTW, there’s no default for forcing secure cookies anymore.
For your purposes, putting “google.com” in your NoScript Options|Advanced|HTTPS|Cookies|Force encryption for all the cookies… list should suffice.

By: Keybounce

Keybounce — Thu, 27 Nov 2008 20:58:52 +0000

… 1.8.0.6 switches to an opt-in policy controlled by the noscript.secureCookiesForced preference, whose default will be “www.google.com, gmail.google.com”. …

What about all the rest of the stuff at google?

Reader, maps, news, personalized home page, ** DOCS **, etc.

Most of the pages support secure stuff. Right now I have "Always use HTTPS" in gmail, and I have the newest noscript, yet going to the insecure pages (such as www.google.com) still identify me by email.

Gaa, there’s a noscript warning below me, with a recaptcha. Hope this works.

By: Wat sind eigentlich flash-cookies? | Der Gretzer

Wat sind eigentlich flash-cookies? | Der Gretzer — Fri, 10 Oct 2008 17:49:16 +0000

[…] NoScript vs Insecure Cookies […]

By: Blaise Alleyne

Blaise Alleyne — Fri, 19 Sep 2008 17:42:27 +0000

@Giorgio
Turns out I did have an older version, it was just auto-updated to 1.8.1.3 and the Twitter fix was explicitly mentioned in the release notes. Thanks!

By: Giorgio

Giorgio — Thu, 18 Sep 2008 21:55:25 +0000

@Blaise Alleyne: some of the early versions could, but latest stable and development versions of NoScript have no problem with logins.

By: Blaise Alleyne

Blaise Alleyne — Thu, 18 Sep 2008 21:29:10 +0000

In the last few days, I’ve been unable to log into del.icio.us, Twitter and Fire Eagle. I just disabled NoScript, and now I can login fine.

Could this new feature be getting in my way?

By: ammad

ammad — Thu, 11 Sep 2008 23:25:12 +0000

What if Noscript checks whether a site sends bad cookies and just warns the user, like xss does now?

By: Zero Day mobile edition

Zero Day mobile edition — Thu, 11 Sep 2008 13:36:09 +0000

[…] 10 free security utilities you should already be using ] Maone described the new feature as a countermeasure against Mike Perry’s automated HTTPS cookie-hijacking attack (see CookieMonster tool) that’s […]

By: Philipp

Philipp — Thu, 11 Sep 2008 12:55:13 +0000

PS: It may be noted however that this Add-on unfortunately does not work with sites redirected to by POST or embedded content (images, objects).