A team of scientists from the Computer Emergency Response Team (CERT) issued a report, according to which the implementation of storage and use cookie in all modern browsers puts into question the security of the system.
Scientists told that manufacturers try on with RFC 6265, is responsible for browser cookies, wrong. The problem is as follows.Obtained through the usual HTTP-request cookie-files can be marked as “protected”, ie have a secure flag. The idea is that such cookie to be transmitted only through HTTPS-connection.
However, the researchers found that many of today’s browsers use any cookie-files in the HTTPS-connection without checking with their source (the so-called cookie forcing). Including received and “protected» cookie, planted in the system earlier. This allows an attacker to carry out man-in-the-middle attack, introducing through HTTP-request fake cookie, that will masquerade as cookie-files to other legitimate sites, overwriting the real thing. Such substitution is difficult to see, even those who regularly checks the lists of the cookie and the browser is looking for them suspicious. Further, by using such a forgery can easily intercept private information of the user during the session-HTTPS.
For the first time spoke about the issue in August 2015, at the Conference USENIX 24, so that the browser makers have already prepared and issued “patches.” Problems were exposed virtually all browsers: Safari, Firefox, Chrome, Internet Explorer, Edge, Opera and Vivaldi. From bug spared only the most recent versions of them.
CERT experts also recommend that webmasters use HSTS (HTTP Strict Transport Security) for the top-level domains.