Thoughts from webmail session stealing

Much has been written about how Rob Graham was easily able to steal session ID cookies to hijack a person’s Gmail account at the Black Hat conference. Examples of coverage include this article in The Register and this one in tgdaily.

The hijack is possible despite the actual authentication exchange itself being protected by SSL. Any website that does not protect post-authentication exchanges with SSL or some other appropriate mechanism is similarly at risk.

According to The Regiser article, Rob went on to say, “Web 2.0 is now fundamentally broken.” Uh…not quite.

However, this incident raised two thoughts:

1. Further along the lines of a post by Conor Cahill, it once again highlighted how authentication needs to be complemented by other security measures to make online transactions as a whole safe.

Sometimes there is too much focus on getting authentication right and not enough on other security measures. Authentication is no silver bullet, just one of the important bits.

2. In an inter-connected system, failure of one part can lead to a perception of failure of other parts and the system as a whole.

For example, imagine that the authentication to Gmail was external, say via an IdP (Identity Provider). In that case, the failure of Gmail post-authentication may give rise to a perception of a security failure by the IdP.

At a system level, it also gives people one more reason to be nervous about transacting online. This is particularly acute in federated systems.

While people who understand exactly what happened will tend to dismiss perceptions as ignorance, I think the perception of security is as important as the reality. This makes it vital for IdPs, for the sake of their own reputation, to care how a SP (Service Provider) interacts with its customers even though the IdP is not a party to that transaction.