I'm disappointed.

If the testing method described in the last para of the article is sound

How do you check in IE?

Assuming validity of the test of course

Both allow cookies over "any type of connection"

Assuming I followed instructions properly

Only one cookie from the internet banking server, and it's "encrytped connection only".

If this method works

Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only").

What if you visit the site and it doesnt have "marked as SECURE/Encrypted connections only" It has JSESSIONID, WT_FPC, and a couple of Apache... is that good or bad :s

Didnt even need to delete any cookies. As soon as I closed the Bank of Scotland tab, and then reopened it, I was logged out.

(Assuming I'm following the guidelines correcly - there weren't any cookies marked as secure)

This is a man in the middle attack run on a local network, you can do far more than nab cookies to sites.

And it is amusing people don't understand how cookies work, Lou Montulli is probably spinning in his grave (ok he is not dead, well not that I know off), but the mechanism has been in for ages to only transmit over a secured channel.

And you would have thought with all this phorm business, people would have looked into how they were handling their cookies, but a lot of folks use frameworks and obviuosly people who don't know what they are doing have been building those.

It is a little bit of a storm in a teacup, but the fix is so trivial, it is called not hiring cowyboy coders.

... it's not only your bank account. ebay.co.uk fails as does ebay.de

There's one safe way to secure our online bank accounts...don't have them online!

We've managed perfectly well for many years without online accounts.

Think I'll put up with the slight increase in inconvenience by using a bricks and mortar bank account.

Konqueror reports all cookies as ... "Secure: No".

In FF3, didn't see any encrypted cookies etc, but deleted the many other new ones related to the session, then clicked on a button in the banking window - immediately booted right out...

Anonymous as I don't want anyone to know who I bank with!

I feel somewhat relieved, but then I remember I'm in court with the gits and it all comes crumbling down again :p

Just tried out the student finance site which is full of lots of lovely personal info, and they're as open as.. (on the internet, must keep clean...) a really, really, really wide open thing. *cough*

Damn! not a Secure Cookie in sight!

-dZ.

If you use an external proxy server you could easily be vulnerable to a Man in the Middle attack, but then if you're accessing sensitive sites via this method, you should step away from your PC.

Of course, there is the additional problem of the ubiquitious "transparent caches" employed by some ISPs, also.

I noticed that at least one person commenting above didn't understand the instructions properly, btw.

I see no "secure connection only" cookies after logging in to the co-op bank website, so presumably they're vulnerable.

Curiously Halifax do send one "secure only" cookie, however removing it doesn't cause the session to close so presumably it's one of the "any type of connection" cookies that actually matters.

Pathetic. Let's see how long it takes them all to fix it.

Royal bank of scotland fails for the login but now requires the use of crazy encrypto calc to do any sort of transfers outside of your own accounts.

So, someone could come in and transfer money between my own accounts, but would not be able to set up direct debits, transfer to someone else's account etc.

Not great, but at least its something. Just in time too. This is brand new,

I see the 2nd comment above, but logging in to https://www.mybank.alliance-leicester.co.uk/index.asp it seems like a PASS, it *always* asks for my PIN anyway, so I'm not sure if that means it was safe already.