this is what the firesheep firefox extention does. It was designed to
demonstrate how much of a risk this attack poses. now a user who has the
extention can go to any open wireless hotspot, such as in a cafe, see
exactly who is on the network with them, and their profile picture if they
are logged onto a website the extention supports and by simply
double-clicking on the person's name, they hijack that individual's account.
the only fix is for hotspot admins to employ WPA encryption at the very
least, or for websites to force SSL for the entire session, which
unfortunately not many do. I say this as a warning to everyone, whether you
run your own wireless network or not, make sure the network your connecting
to uses at least WPA encryption, wep encryption simply is not enough any
more because it's now so easy to brake into those networks.
Aiden
----- Original Message -----
From: "David Ferrin" <d...@jaws-users.com>
To: <blind-computing@jaws-users.com>
Sent: Thursday, November 04, 2010 12:15 PM
Subject: [Blind-Computing] daily term
sidejacking
"When logging into a Web site you usually start by submitting your
username and password. The server then checks to see if an account
matching this information exists and if so, replies back to you with a
'cookie,' which is used by your browser for all subsequent requests."
Most Web sites protect your username and password with a secure HTTPS
connection. Unfortunately, many immediately drop back into insecure HTTP
once a visitor is signed in - and the site sends its cookie back over a
now-insecure connection. Anybody snooping on your conversation can make a
copy of the cookie and use it to interact with the Web site in precisely
the same way you do.
David Ferrin
Most people don't know what they're doing and a lot of them are really
good at it.
For answers to frequently asked questions about this list visit:
http://www.jaws-users.com/help/
For answers to frequently asked questions about this list visit:
http://www.jaws-users.com/help/
