Datarealm, a cloud server provider, dedicated servers and shared hosting warned hosting customers and risk website owners posed by verifying the integrity of insufficient cookies. The warning is a response to a CERT vulnerability (25 September 2015) and a research paper published August 12, 2015, against the University of California, Berkeley, Tsinghua University in Beijing, and Microsoft.
cookies can be set by attackers and sent by the browser related subdomains. Cookies are used by websites and applications to maintain the state and user authentication. Unlike JavaScript and other Web components, cookies are not subject to the same strict origin policy.
The research paper will contain full details of the security risks posed by cookie data injection attacks and tossing cookies. Man-in-the-middle attackers may be able to insert cookies in secure HTTPS connections through a non-secure HTTP connection. Both attacks pose risks to the security of information
Datarealm further recommends that site owners to implement HSTS as a protection against some of the most pernicious consequences of vulnerabilities cookies
HSTS - .. the transport protocol HTTP Strict - is a mechanism to ensure that the browser will connect to a service using secure HTTPS connections. HSTS would be simple to implement with modern web servers and is widely supported by browsers. With HSTS enabled, most attacks are made possible by the lack of verification of the integrity of cookies in browsers are mitigated, says Datarealm.
"It has long been known that cookies are a dangerous attack vector can be used to expose sensitive information, but the recent document establishes the full range of potential vulnerabilities," said Andrew Auderieth CEO Datarealm . "as a hosting company that supports hundreds of websites and web applications, we recommend site owners to take measures to mitigate risks. In the absence of any standard mechanism to verify the origin of cookies, one of the best ways to reduce the risk is to implement HSTS. "
Founded in 1995, today's web hosting products Datarealm include cloud hosting, dedicated servers, virtual private servers (VPS hosting), and shared hosting.
0 Komentar