On Mon, Oct 25, 2010 at 7:15 PM, Hay (Husky) <hus...@gmail.com> wrote: > Has anyone seen this? > > http://codebutler.com/firesheep > > A new Firefox plugin that makes it trivially easy to hijack cookies > from a website that's using HTTP for login over an unencrypted > wireless network. Wikipedia isn't in the standard installation as a > site (lots of other sites, such as Facebook, Twitter, etc. are). We > are using HTTP login by default, so i guess we're vulnerable as well > (please say so if we're using some other kind of defensive mechanism > i'm not aware of). Might it be a good idea to se HTTPS as the standard > login? Gmail has been doing this since april this year. Firesheep works by snooping cookies, not login processes, and it's even without software like this incredibly easy to own someone. All it needs to own a Wikipedia admin or user is being in the same network as him. The admin in question doesn't even have to visit Wikipedia directly, there are enough pages hotlinking to upload.wikimedia.org, which should cause the browser to transmit session data.
If you're in need of using secure login, then you can use the secure webserver, but in the past it had some load issues. Marco -- VMSoft GbR Nabburger Str. 15 81737 München Geschäftsführer: Marco Schuster, Volker Hemmert http://vmsoft-gbr.de _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
