The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information

@article{Sivakorn2016TheCC,
  title={The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information},
  author={Suphannee Sivakorn and Iasonas Polakis and A. Keromytis},
  journal={2016 IEEE Symposium on Security and Privacy (SP)},
  year={2016},
  pages={724-742}
}
  • Suphannee Sivakorn, Iasonas Polakis, A. Keromytis
  • Published 2016
  • Computer Science
  • 2016 IEEE Symposium on Security and Privacy (SP)
    • The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites, has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In… CONTINUE READING
    View on IEEE
    cs.columbia.edu
    51 Citations
    Highly Influential Citations
    6
    Background Citations
    36
    Methods Citations
    7
    Results Citations
    1

    Supplemental Video

    20:52
    Video
    The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information
    IEEE Symposium on Security and Privacy
    2 September 2016
    Explore Further
    Discover more papers related to the topics discussed in this paper
    51 Citations
    Citation Type

    Citation Type

    Cookie Hijacking in the Wild : Security and Privacy Implications
    • 2
    • PDF
    That's the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms
    • 14
    • PDF
    (In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags
    • 2
    Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
    • 14
    • PDF
    Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks
    • PDF
    The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws
    • 1
    • Highly Influenced
    Testing for Integrity Flaws in Web Sessions
    • 5
    • PDF
    Leaky Images: Targeted Privacy Attacks in the Web
    • 3
    • PDF
    O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web
    • 13
    • PDF
    Sub-session hijacking on the web: Root causes and prevention
    • 4
    • Highly Influenced
    • PDF

    References

    SHOWING 1-10 OF 88 REFERENCES
    Cookies Lack Integrity: Real-World Implications
    • 35
    • PDF
    Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS
    • 170
    • PDF
    The Cost of the "S" in HTTPS
    • 167
    • PDF
    Private Information Disclosure from Web Searches
    • 39
    • PDF
    Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments
    • 22
    • PDF
    Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning
    • 84
    • Highly Influential
    • PDF
    SessionShield: Lightweight Protection against Session Hijacking
    • 84
    • PDF
    Origin Cookies : Session Integrity for Web Applications
    • 44
    • PDF
    Cookies That Give You Away: The Surveillance Implications of Web Tracking
    • 148
    • PDF
    Robust defenses for cross-site request forgery
    • 428
    • PDF