Engineering
Nov 23rd 2021

Stealing Cookies

Why the current standards of authentication ought to change and how we did it.
Valentin Popescu

Security engineer

The current standard in authentication is some way of creating an authentication token which is then sent along with all the requests a user has to make during their visit on your website. Whatever was the way the token was created and however secure this token is, it’s still a token that, if stolen, can be used to impersonate the user. There have been lots of improvements to alleviate this problem ranging from refresh tokens, short lifespans, and various other things that made it more difficult but not impossible for a motivated enough malicious actor in the mix. The ultimate gold post was placing the “httpOnly” flag on the authentication cookies and making it more difficult for the developer to find out the authentication status in the application. For a while this has been quite fine and probably for many it is still a good enough security (if stealing the users cookie doesn’t create enough benefits to the attacker) but with the advent of “breaking for the fun of it” and with the company reputation at stake, attackers found creative ways to get their hands on this type of cookies.

Enter “Encrypted traffic inspection tools” which many enterprises install in their organization networks. These tools sell themselves as helping companies protect their intellectual property from their own employees and work by redirecting all company traffic through the tool ssl breaker which ends all the encrypted channel and re establish the connection using their own SSL certificate chain which happens to be a root certificate authority lately. There has never been an easier time for an attacker to mount a Man-In-The-Middle attack before in the history and these tools exist on the market for more than 10 years but they haven’t been so rampant in their use to mount attacks on users. Through the technology brought by these tools or through other malicious tools that work in the same exact manner attackers basically inspect the connection users have with their visited websites and can essentially “collect” the “httpOnly” cookies for immediate or later “consumption”. The stolen identities can then be used to mount other types of attacks or leaks and damage the companies in so many ways including stealing their so prized Intellectual property they were trying to protect in the first place.

Well then, you might say, if I don’t use such tools I’m not at risk. To which I can answer… I’m afraid you are! The simple existence of such tools, which, for some twisted reason, are legal and not considered a privacy breach, jeopardizes all online security. All it takes is one single malicious vector who has access to the network anywhere between the user and their visited website (be it one of the ISP employees, a computer virus on somebody’s machine in your network or anything whatsoever really that has access to that users network and the job has never been easier. Since everything on the internet at this moment relies exclusively on cookies from web app bank accounts to your social login, all of them are subject to stealing and subsequently impersonating the user to do the attacker's bidding, whatever is that the attacker might find profitable or even just funny to do.

So what is the solution then ?

At Zalter we’ve thought long about this issue and given that we already know a technology that has been tried and true for protecting the users, we developed our AKAS (Asymmetric Key Authentication System) for web, using military grade authentication systems that have always been used only in top security environments. We think that the current state in the market demands for these systems to be finally brought to the end users and we’re happy to say that we’re the first on the market bringing you the ability to have the strongest authentication system the technology can allow for!

There might be other solutions to the problem, but we think that at the moment all solutions must, in one way or another, use a form of what we’re doing in our system.

If you think you care enough about your company reputation, or you are already using such an SSL inspection tool or you’re just happier to know your users can safely authenticate from wherever they are. Zalter has the solution.

What about end-to-end encryption then ?!

Well, this is going to be our next major product! Stay tuned and subscribe to our newsletter in order to get notified immediately as soon as we release it!

Valentin Popescu

With over 20 years of experience serving companies from banking to gaming comes with a plethora of tech skills ranging from architecture to AI.