With the release of Firesheep....and my nomadic system lifestyle, I am seriously reconsidering my former view of "man in the middle" attacks as a low priority issue.
Looking over the Remember Me plugin, I note that it is easily hijacked via Firesheep to allow a user without too much technical sophistication to impersonate someone on a Joomla powered website if it is connected to through normal HTTP instead of HTTPS. The simple solution, which I am implementing for myself, is to setup a VPN to an external system on the internet and tunnel all my traffic through there. That at least removes the issue with open wifi access. While self signed certificates can cause general users to become uncomfortable and not wish to continue on a website, for my own sanity I'm thinking a short little plugin that always redirects specific users who log on to the https connection to log on again would be in order.
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
