Datarealm, a provider of cloud servers, dedicated servers, and shared hosting has warned hosting clients and website owners of the risk posed by the inadequate integrity verification of cookies. The warning is a response to a CERT vulnerability advisory (September 25, 2015) and a research paper released August 12, 2015 from the University of California, Berkeley, Tsinghua University in Beijing, and Microsoft.
The research paper would contain comprehensive details about the risks to data security posed by cookie injection and cookie tossing attacks. Man-in-the-middle attackers may be able to insert cookies into secure HTTPS connections via an insecure HTTP connection. Both attacks carry risks to information security.
Datarealm further recommends that site owners implement HSTS as a protection against some of the most pernicious consequences of cookie vulnerabilities.
HSTS – the HTTP Strict Transport Protocol – is a mechanism for ensuring that the browser will only connect to a service using secure HTTPS connections. HSTS would be simple to implement with modern web servers and is widely supported by recent browsers. With HSTS enabled, many of the attacks made possible by the lack of cookie integrity verification in browsers are mitigated, says Datarealm.
“It’s long been known that cookies are a dangerous attack vector and can be used to expose sensitive information, but the recent paper establishes the full range of potential vulnerabilities,” said Andrew Auderieth, CEO of Datarealm. “As a hosting company supporting many hundreds of websites and web applications, we advise site owners to take action to mitigate the risks. In the absence of any standard mechanism for verifying the origin of cookies, one of the best ways to reduce the risk is to implement HSTS.”
Founded in 1995, Datarealm’s current web hosting products include cloud hosting, dedicated servers, virtual private servers (VPS Hosting), and shared hosting.