常時SSLでもCookieの改ざんはできるワケ

As previously explained in the blog post below, cookies can still be tampered with even when using Always-On SSL. While browsers have since made improvements, cookie manipulation is still not fully preventable. An experiment demonstrated that cookie manipulation cannot be prevented even when using HTTPS. https://blog.tokumaru.org/2013/09/coo... In the second half of this video, I'll explain in detail, with demos, the differences in behavior between Safari and Google Chrome (and Firefox). What I want to share today: The Secure attribute on cookies is important for preventing cookie eavesdropping (discussion from the previous video). I'll explain that even if you add the Secure attribute to cookies, it can prevent tampering, but not eavesdropping. I'll also discuss the compatibility status of recent browsers. PS: In the video, I explain that "preventing cookie manipulation itself is difficult," but modern browsers can prevent it by using cookie prefixes. For more information, please refer to the MDH explanation. https://developer.mozilla.org/ja/docs... ------------ ■EG Secure Solutions, Inc. 　https://www.eg-secure.co.jp/ ■For business inquiries, please click here 　https://www.eg-secure.co.jp/contact/ ------------