I forwarded this message on to the Twitter security team and encouraged them to respond here.
-John Kalucki http://twitter.com/jkalucki Infrastructure, Twitter Inc. On Mon, Mar 15, 2010 at 9:03 AM, Yuchen Zhou <pinkforpe...@gmail.com> wrote: > Hi, > > I'm a security researcher at the University of Virginia I have been > looking into the use and adoption of http-only cookies. My advisor is > professor David Evans. > > We were surprised to discover that your site seems to not use http- > only cookies, even for cookies that contain authentication > information. Even if the cookies are SSL-only, but by itself this does > not provide the same protection tagging the cookies as http-only would > (for example, they could still be stolen by a XSS attack). So far as > we could tell from some simple dynamic experiments, there is no reason > why your site's cookies are not http-only (that is, the client-side JS > code does not appear to use the cookie contents in any way, and we've > tried accessing your site with a proxy that makes all the cookies http- > only and everything seems to work fine). > > So, as far as I understand it, there are significant security benefits > and no drawbacks (perhaps except for a few extra bytes in the cookie) > to making all the cookies http-only. Is there some good reason we're > missing why you don't do this? > > Best, > > --- Yuchen > ======================================= > Yuchen Zhou > yz...@virginia.edu > Graduate student at Computer Science Dept. > University of Virginia >
