According to the RFC 6265 (previously RFC 2965) established HTTP State Management, also known as “cookies“. In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information.
According to the researchers:
A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-midddle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections.
A remote attacker may be able to obtain private information from a victim’s HTTPS session.
To safeguard yourselves deploy HSTS on top-level domain and keep your browsers updated.
A complete solution may include future updates to RFC 6265 and/or RFC 6454 to enable safer handling of cookies via an updated same origin policy for cookies.
