Is InformationWeek right? Are most all Drupal sites insecure?
August 21st, 2008
Image by sophiea via Flickr Personally, I think it’s just spreading FUD; but Information Week is reporting that “Just over a week ago, security researcher Mike Perry presented information at the DEFCON security conference about a vulnerability that affects many SSL-secured Web sites, including Amazon
I have no idea why Drupal would be mentioned by name in this manner, especially if it’s a problem with cookies and the SSL protocol.
Are there any Drupal core devs who would like to comment on this security issue? I’d love the write a follow-up blog post with the full story!
Related articles by Zemanta
- Gmail hacking tool to be released
- How not to get your Gmail hacked [Siilicon Valley Users Guide]
- SSL-encrypted Gmail not safe to ’sidejacking’ attacks, says researcher
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9d97bbf0-eae6-4ebe-9c6c-339b13e23185)
No TweetBacks yet. (Be the first to Tweet this post)
DandyID
AIM
Amazon
Amazon Wish List
Blip.tv
Blogger
Box.net
Delicious
deviantART
Digg
Facebook
Flickr
Friendfeed
Google Reader
identi.ca
Imeem
last.fm
Linkedin
MyBlogLog
myOpenID
Picasa
Scribd
Squidoo
Technorati
Twitter
Webshots
Wikipedia English
WordPress.com
YouTube
We’re way ahead of you!
http://drupal.org/node/170310 addresses the SSL-based session cookie issue. Dries committed it 3 days ago to Drupal 7 and Drupal 6. And Drupal 5 will be patched shortly.
Here’s the comments I wrote for the patch:
“To prevent session cookies from being hijacked, a user can configure the SSL version of their website to only transfer session cookies via SSL by using PHP’s session.cookie_secure setting. The browser will then use two separate session cookies for the HTTPS and HTTP versions of the site.” And the HTTPS session cookie will be protected from hijacking.
You’ll still need to configure HP’s session.cookie_secure setting on the SSL version of the website, as Drupal doesn’t enforce that.
There’s a patch that just landed in core that addresses this particular issue in Drupal:
http://drupal.org/node/170310
Mike Perry probably mentioned Drupal since that’s what his website is running.