IanKelley - 4:40 am on Sep 21, 2011 (gmt 0)

This is definitely interesting, but it's easy to over exaggerate the risk of this happening in reality.

Provided I understand how this works...

First, you need access to a point between the user's computer and the target site. Generally speaking this means either compromising a major internet node, or hacking a work network. I'm leaving out unsecured wi-fi because, well, it's unsecured wi-fi :-)

If you manage to accomplish this impressive feat you then need to wait for a user passing through the network to access a site that has value to you (i.e. PayPal).

Now... (from the original article)

That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour

You have a half hour or so to decrypt a cookie, assuming of course it's under 2k, which isn't guaranteed by any means. It could end up taking you a lot longer.

If the user logs out or the session expires before you've decrypted the cookie it's useless. Which is likely, I imagine only a small percentage of visits to financial websites last more than a half hour. At PayPal it would be even less time since the majority of transactions are 2 clicks.

But suppose you manage it, even then, if the cookie in question uses an extra layer of security (a hash of the user agent and IP for example), it's useless even if you decrypt it before they log out. Of course you could get around this if you were expecting it, I'm just picking one example of how easy it is to make this exploit more difficult.

So, it's a real threat, but the chances of it effecting any of us are virtually nil.