LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers.
Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an assistant professor at the University of Illinois discussed just how woefully inadequate the encryption protecting some services is in a talk at Black Hat Thursday.
The pair studied 25 popular websites, from search engines such as Google, Yahoo, and Bing, to news sites such as the Huffington Post, MSN, and the New York Times. Fifteen of the sites supported HTTPS but not universally. Many of them offer personalization over HTTP, something that can lead to complicated interoperability and flawed access control, according to Sivakorn and Polakis.