Valid HTML 4.01 Transitional

Active Sidejacking

James F. Carter <>, 2010-10-28

The topic of Active Sidejacking has come up again and apparently the vulnerability has not been closed. Recently Edson sent around links to relevant articles (with a few added items by jimc):

Jimc's conclusions:

First, I'm going to do the test that Eric Bollens suggested, to see if key websites (e.g. Fidelity Investments) are still vulnerable to this attack.

I have got to get a decent VPN working from Android to and/or my home server. So far the solutions I've tried have been unsatisfactory.

Most of my system administration activities are done over ssh, which is independent of the whole morass of web insecurity. But there are important non-sysadmin activites that do depend on the web.

Checking our web apps to see if they use insecure cookies.

There's a lot of jabber about if we use SSL for every page it will overload our servers. A number of comment posters referred to Google's blog post about activating SSL for all Gmail service: it added about 1% to their CPU load, and 10Kbytes per connection, which is insignificant for them. However there is a problem on Android (and presumably other Java-based phone OS's): it looks like they're doing SSL in Java! What a crock! Of course this takes a lot of CPU time, slowing down data transfer, and eats battery.