The crux of the issue is the ability to steal the session cookie/ID and hence 
impersonate that user.

So the only real solution as a web dev is to run the entire session over 
SSL/TLS I believe. Some hope that HTTPS will do to HTTP what SSH did to telnet. 
Digital certificate infrastructure is still a bit of a mess though.

Sent from my iPhone

On 04/03/2011, at 2:57 PM, mike smith <meski...@gmail.com> wrote:

> VPN seemed to be one way, so I guess an app that did a similar setup.
> 
> On Fri, Mar 4, 2011 at 11:53 AM, Dylan Tusler 
> <dylan.tus...@sunshinecoast.qld.gov.au> wrote:
> Interesting. I had heard of Firesheep, but just looked at the details.
>  
> How would you write an app that resists this kind of attack? Does an app that 
> uses .NET Membership Provider have this kind of vulnerability (encrypted 
> login, but unencrypted cookies.)
> Cheers,
>  
> Dylan.
>  
> 
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On 
> Behalf Of mike smith
> Sent: Friday, 4 March 2011 10:42 AM
> To: ozDotNet
> Subject: Re: [OT] Global Roaming data plans and WiFi hacking
> 
> On Fri, Mar 4, 2011 at 11:36 AM, Dylan Tusler 
> <dylan.tus...@sunshinecoast.qld.gov.au> wrote:
> Got a colleague who is travelling to UK, Greece and Turkey, and she wants to 
> be able to do some internet stuff (banking, email etc) via mobile handset 
> while on the move.
>  
> Better to look for a data plan? Or rely on WiFi? How would you do it?
>  
> Also, we have a co-worker that recently had her identity snatched via open 
> WiFi in a cafe. Ended up losing her email account, and having her bank 
> account compromised, partly because of lax password practices. How can you 
> harden up against these kinds of things?
> 
> google Firesheep.  That's what's often used to hack, and looking at that 
> gives suggested preventions.
>  
>  
> Cheers,
> Dylan Tusler
> Acting Data, Development & Integration Manager
> ICTS Branch
> Sunshine Coast Council
> ph: +61 (0)7 5420 8002
> 
>  
> 
> 
>  __ __
> To find out more about the Sunshine Coast Council, visit your local office at 
> Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
> www.sunshinecoast.qld.gov.au. If correspondence includes personal 
> information, please refer to Council's Privacy Policy
> This email and any attachments are confidential and only for the use of the 
> addressee. If you have received this email in error you are requested to 
> notify the sender by return email or contact council on 1300 00 7272 and are 
> prohibited from forwarding, printing, copying or using it in anyway, in whole 
> or part. Please note that some council staff utilise Blackberry devices, 
> which results in information being transmitted overseas prior to delivery of 
> any communication to the device. In sending an email to Council you are 
> agreeing that the content of your email may be transmitted overseas.
> Any views expressed in this email are the author's, except where the email 
> makes it clear otherwise. The unauthorised publication of an email and any 
> attachments generated for the official functions of council is strictly 
> prohibited. Please note that council is subject to the Right to Information 
> Act 2009 (Qld) and Information Privacy Act 2009 (Qld).
> 
> 
> 
> 
> -- 
> Meski
> 
> "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll 
> get it, but it's going to be rough" - Adam Hills
> 
> 
> 
> -- 
> Meski
> 
> "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll 
> get it, but it's going to be rough" - Adam Hills

Reply via email to