17 Sep
2015
17 Sep
'15
4:39 a.m.
What is of more crypto / security interest is not bandwidth use or even domain or path restrictions, but failure of webdevs to seed and restrict sensitive cookies (like your authenticated session id's) from and to TLS only sessions. Well known top100 sites that still have a legacy http mode fail to do this properly... banks, social, govt, etc. Even sites that immediately 302 your first hit (or other hits) over to https thereafter can be found doing it wrong. Ripe for wifi or wire monitoring based session stealing.