Sunday, August 05, 2007

Sites confirmed safe from SideJacking

Remember that SideJacking only works if it catches a non-SSL cookie. Any site that uses SSL exclusively would be safe. If you would like me to test a site, then please send us an e-mail.

GMAIL
You are unsafe unless you start from something like "https://mail.google.com/mail/". Also, while this secures your Gmail, you may still be vulnerable if you access other Google properties, such as blogspot.com.

SALESFORCE.COM
I think most all their customers are safe from SideJacking. While I have seen unencrypted SalesForce.com connections, the default is to use complete SSL encryption which makes it safe from eavesdropping. If you are worried about this, I suggest you make sure "Require secure connections (https)" set to prevent accidental use of non-SSL. I am frankly impressed by SalesForce.com's commitment to security -- this is far better than any other Web 2.0 application that I've seen. They set the standard that others should follow in order to deal with this problem.

No comments: