Monday, November 26, 2012

Why I installed "HTTPS Everywhere"

I was taking a look at how cookies are handled between Youtube and Google.com, since it uses accounts.google.com/ServiceLogin. I then setup a proxy in Google Chrome in order to have a quick look and maybe replay the request. I went to Youtube (that is in plain HTTP by the way) and then I typed "google.com". I saw cookies from Youtube and a warning from Google that the certificate wasn't right, but I also saw this for google.com :

That's the same cookie names as the HTTPS version.

Fortunately Google does it right and when I tried to steal my own session by using these in HTTPS it failed with a redirection to accounts.google.com for the login mechanism. I did not try anything more.

I'm pretty sure many sites aren't that careful so I installed HTTPS Everywhere. With the plugin installed, the request to the HTTP version is not sent when I type "google.com" in my url bar.

By the way, it is made by the EFF and the Tor Project. It's available for Firefox and Chrome :




Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)