The crux of the issue is the ability to steal the session cookie/ID and hence impersonate that user.
So the only real solution as a web dev is to run the entire session over SSL/TLS I believe. Some hope that HTTPS will do to HTTP what SSH did to telnet. Digital certificate infrastructure is still a bit of a mess though. Sent from my iPhone On 04/03/2011, at 2:57 PM, mike smith <meski...@gmail.com> wrote: > VPN seemed to be one way, so I guess an app that did a similar setup. > > On Fri, Mar 4, 2011 at 11:53 AM, Dylan Tusler > <dylan.tus...@sunshinecoast.qld.gov.au> wrote: > Interesting. I had heard of Firesheep, but just looked at the details. > > How would you write an app that resists this kind of attack? Does an app that > uses .NET Membership Provider have this kind of vulnerability (encrypted > login, but unencrypted cookies.) > Cheers, > > Dylan. > > > From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On > Behalf Of mike smith > Sent: Friday, 4 March 2011 10:42 AM > To: ozDotNet > Subject: Re: [OT] Global Roaming data plans and WiFi hacking > > On Fri, Mar 4, 2011 at 11:36 AM, Dylan Tusler > <dylan.tus...@sunshinecoast.qld.gov.au> wrote: > Got a colleague who is travelling to UK, Greece and Turkey, and she wants to > be able to do some internet stuff (banking, email etc) via mobile handset > while on the move. > > Better to look for a data plan? Or rely on WiFi? How would you do it? > > Also, we have a co-worker that recently had her identity snatched via open > WiFi in a cafe. Ended up losing her email account, and having her bank > account compromised, partly because of lax password practices. How can you > harden up against these kinds of things? > > google Firesheep. That's what's often used to hack, and looking at that > gives suggested preventions. > > > Cheers, > Dylan Tusler > Acting Data, Development & Integration Manager > ICTS Branch > Sunshine Coast Council > ph: +61 (0)7 5420 8002 > > > > > __ __ > To find out more about the Sunshine Coast Council, visit your local office at > Caloundra, Maroochydore, Nambour or Tewantin or visit us online at > www.sunshinecoast.qld.gov.au. If correspondence includes personal > information, please refer to Council's Privacy Policy > This email and any attachments are confidential and only for the use of the > addressee. If you have received this email in error you are requested to > notify the sender by return email or contact council on 1300 00 7272 and are > prohibited from forwarding, printing, copying or using it in anyway, in whole > or part. Please note that some council staff utilise Blackberry devices, > which results in information being transmitted overseas prior to delivery of > any communication to the device. In sending an email to Council you are > agreeing that the content of your email may be transmitted overseas. > Any views expressed in this email are the author's, except where the email > makes it clear otherwise. The unauthorised publication of an email and any > attachments generated for the official functions of council is strictly > prohibited. Please note that council is subject to the Right to Information > Act 2009 (Qld) and Information Privacy Act 2009 (Qld). > > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills
