HTTPS Cookie Jacking: Protecting Yourself

In order to protect yourself against HTTPS cookie jacking, it is important that the server use the appropriate security flags when issuing the cookie, as previously stated. However, for the end user, it is necessary to ensure that all communication with the website is over a HTTPS connection. This is something most webmail sites usually fail to do. At the time of this writing, for example, both Google Mail and Yahoo! Mail default to using HTTPS for their login pages but not for the user's mail interface and subsequent interaction. Both are therefore vulnerable by default.

To resolve the cookie jacking problem, Google recently implemented the option for users to use HTTPS connections throughout their sessions. However, this must be enabled through the settings dialogue. As yet, Yahoo! has not enabled such a feature, and their users are likely vulnerable to this threat.