Facebook, Google, Yahoo And Mozilla Works on Secure Session Cookie Specification


In addition to pushing for HTTPS, Facebook is working with Google, Yahoo and Mozilla on a specification that will protect session cookies from theft even over non-encrypted connections.

Called the MAC Access Authentication, the specification is currently an Internet Engineering Task Force (IETF) draft and is meant to provide cryptographic verification for certain portions of HTTP requests.

MAC in this context refers to message authentication code, a unique string generated by the client which allows the server to verify that a request hasn't been made before.

This prevents man-in-the-middle attacks which rely on intercepting and replaying requests from and to the client.

"We’re working with Yahoo!, Google and Mozilla on this specification in order to give all websites a way to ensure that session information has not been altered or tampered with," Facebook told developers in a post detailing recent changes to its app platform.

The company has asked developers to acquire an SSL certificate and make their apps HTTPS-compatible by October 1.

This announcement was met with some hostility from developers who don't want to incur additional costs associated with SSL deployment.

"Contrary to some feedback we’ve heard, acquiring an SSL certificate is relatively inexpensive, and the ongoing cost of supporting SSL for most apps is low. The sooner your app supports HTTPS the more secure our platform will become," Facebook stressed.

In addition, developers will also have to implement OAuth 2.0, an authentication standard that comes with cross-site request forgery (CSRF) protection. This system makes obtaining access_tokens, keys that give apps access to people's profiles, more secure and reliable.

Many apps using Facebook's legacy authentication systems were recently found to inadvertently share these tokens with advertisers and other third parties.

Finally, developers were asked to review Facebook's updated platform policies and make sure their apps conform to them. They specifically prohibit UIDs or Access Tokens to be shared with third parties.


Post a Comment