Updating to the most recent browser versions is a must

Sep 25, 2015 04:53 GMT  ·  By

CERT (Computer Emergency Response Team) revealed that all browser makers have misinterpreted and improperly implemented the RFC 6265 standard responsible for detailing how HTTP State Management should work.

If we already bored you by going too technical all of a sudden, the RFC 6265 standard is usually referred to by most computer geeks and programmers as "browser cookies," and it is an integral part of how the Web works, allowing websites to send and retrieve data from a user's browser.

According to CERT's announcement, "In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information."

This is because cookies do not provide any integrity guarantees for subdomains, nor do they provide isolation by port.

These two details, when put together, can spell disaster for website owners, because if they set a cookie via HTTP (port 80) on foo.example.com, nothing will guarantee that the cookie won't be hijacked and used for intercepting HTTPS (port 443) on example.com.

Because browsers don't check how a secure flag is set in HTTPS cookies, attackers could easily intercept a regular HTTP cookie from one of the unprotected subdomains, add a secure flag, and then use it to override the main HTTPS cookie, thus being later able to intercept information about private sessions.

Browser vendors have already patched their products

Users who want to protect themselves from this kind of cookie injection MitM (Man-in-the-Middle) attacks should upgrade to the most recent version of their browser.

CERT notified all browser makers about this issue since May, and most of them have already fixed the problem through updates launched between August 31 and September 16. All browsers were affected, including Firefox, Safari, Chrome, Vivaldi, Opera, Edge, and IE.

If you don't want to update (which is weird and not recommended), you can also block cookies in your browser.

For webmasters, CERT recommends that they deploy HSTS (HTTP Strict Transport Security) on their top-level domain.