In Tools to sniff and clone cookies Stephan Brands writes about a scene at a recent Black Hat Security conference where a presenter was able to steal live sessions by sniffing cookies on open internet connections and concludes:
The message for those working on digital identity solutions, in particular “lightweight” identity solutions and plain-vanilla browser identity federation a la ID-FF, should be clear: unless asymmetric cryptographic protection is made an integral part of a solution, users are highly vulnerable to theft of IdP login credentials as well as of identity claims that are issued to them.
First off, to be very clear, there was absolutely *NO* stealing of login credentials. What was actually stolen in that particular case was a session cookie that would enable the hacker to use an existing session for the length of the session. The stolen cookie could not be used to establish new login sessions (as login credentials would allow).
Secondly, in a Liberty ID-FF and/or SAML scenario the authentication protocols are required to take place within an SSL session and we strongly encourage that SSL be used to protect the authenticated session afterwards.
The real example that was shown is that services that do not use SSL to protect communications from the browser to the server are liable to be monitored, recorded, and even hijacked -- regardless of how well the user was authenticated.
Moral of the story: Use SSL to protect communications of sensitive information.