Remember that SideJacking only works if it catches a non-SSL cookie. Any site that uses SSL exclusively would be safe. If you would like me to test a site, then please send us an e-mail.
GMAIL
You are unsafe unless you start from something like "https://mail.google.com/mail/". Also, while this secures your Gmail, you may still be vulnerable if you access other Google properties, such as blogspot.com.
SALESFORCE.COM
I think most all their customers are safe from SideJacking. While I have seen unencrypted SalesForce.com connections, the default is to use complete SSL encryption which makes it safe from eavesdropping. If you are worried about this, I suggest you make sure "Require secure connections (https)" set to prevent accidental use of non-SSL. I am frankly impressed by SalesForce.com's commitment to security -- this is far better than any other Web 2.0 application that I've seen. They set the standard that others should follow in order to deal with this problem.
Sunday, August 05, 2007
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment