Datarealm Warns Site Owners Of The Risks Of Cookie Injection Attacks
(PRWEB) September 30, 2015 -- Datarealm, a leading provider of cloud server, dedicated server, and shared hosting, has warned hosting clients and website owners of the risk posed by the inadequate integrity verification of cookies. The warning is a response to a CERT vulnerability advisory (September 25, 2015) and a research paper released August 12, 2015 from the University of California, Berkeley, Tsinghua University in Beijing, and Microsoft, which comprehensively details the risks to data security posed by cookie injection and cookie tossing attacks.
Datarealm further recommends that site owners implement HSTS as a protection against some of the most pernicious consequences of cookie vulnerabilities.
Cookies are used by websites and applications to maintain state and for user authentication. Unlike JavaScript and other web components, cookies are not subject to strict same-origin policies. Cookies can be set by attackers and sent by the browser to related subdomains. Man-in-the-middle attackers may be able to insert cookies into secure HTTPS connections via an insecure HTTP connection. Both attacks carry risks to information security.
“It's long been known that cookies are a dangerous attack vector and can be used to expose sensitive information, but the recent paper establishes the full range of potential vulnerabilities. As a hosting company supporting many hundreds of websites and web applications, we advise site owners to take action to mitigate the risks,” commented Andrew Auderieth, CEO of Datarealm, “In the absence of any standard mechanism for verifying the origin of cookies, one of the best ways to reduce the risk is to implement HSTS.”
HSTS — the HTTP Strict Transport Protocol — is a mechanism for ensuring that the browser will only connect to a service using secure HTTPS connections. HSTS is simple to implement with modern web servers and is widely supported by recent browsers. With HSTS enabled, many of the attacks made possible by the lack of cookie integrity verification in browsers are mitigated.
###
About Datarealm:
Founded in 1995, Datarealm was one of the first Web hosting companies in the world. Datarealm has maintained its position as a trusted industry leader by continuously investing in cutting-edge web technologies and a commitment to extraordinary customer service. Datarealm’s current web hosting products include an advanced secure cloud hosting platform, dedicated servers, virtual private servers, and shared hosting. For more information, visit https://www.datarealm.com/.
Andrew Auderieth, Datarealm, https://www.datarealm.com/, +1 866-932-4678, [email protected]
Share this article