On 11/04/2010 01:24 PM, Lonnie Olson wrote: > Firesheep doesn't hijack credentials. Only the session. It exploits > a common hole in most websites that use SSL for login, but go in the > clear for everything else. > > Firesheep makes it super trivial to find a session running in the > clear, grab their session cookie(s), and give you full access to their > account for the duration of the session.
So this is basically an old-style attack, such as was common before the days of internet switches. This is made even easier by the fact that most wirelss routers are not only shared broadcast medium (like a hub) but also natted through a common IP address, making firesheep's use of the session indistinguishable from the victim's. And of course you have to use a non-encrypted wireless connection, as WPA connections don't allow clients to see eachother's traffic. I suppose some of this could be mitigated by smarter session-cookie checking on the servers. There are things in http requests that can be somewhat uniquely identifying. If the cookie doesn't contain a matching hash of a hash of the unique request things then the request could be denied. And of course SSL-only sessions works too, which is what google has moved to, now that their relative cost of computing power has dropped. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
