Cookies have been a security issue for a long time now (you could do this by hand, but it takes a modicum of skill). With the plugin, every one gets a go. Hopefully this will kick websites into a more secure mind set. Sadly, no linux love with the plugin, oh well keep on with wireshark! =)
On Mon, Oct 25, 2010 at 8:55 AM, Glenn Kelley <[email protected]> wrote: > http://codebutler.com/firesheep > When logging into a website you usually start by submitting your username > and password. The server then checks to see if an account matching this > information exists and if so, replies back to you with a "cookie" which is > used by your browser for all subsequent requests. > > It's extremely common for websites to protect your password by encrypting > the initial login, but surprisingly uncommon for websites to encrypt > everything else. This leaves the cookie (and the user) vulnerable. HTTP > session hijacking (sometimes called "sidejacking") is when an attacker gets > a hold of a user's cookie, allowing them to do anything the user can do on a > particular website. On an open wireless network, cookies are basically > shouted through the air, making these attacks extremely easy. > > This is a widely known problem that has been talked about to death, yet very > popular websites continue to fail at protecting their users. The only > effective fix for this problem is full end-to-end encryption, known on the > web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" > features in an endless attempt to quell the screams of unhappy users, but > what's the point when someone can just take over an account entirely? > Twitter forced all third party developers to use OAuth then immediately > released (and promoted) a new version of their insecure website. When it > comes to user privacy, SSL is the elephant in the room. > > FireSheep basically just makes it possible to grab a users FaceBook account > ... > OUCH > > _____________________________________________________________________________________ > Glenn Kelley | Principle | HostMedic |www.HostMedic.com > Email: [email protected] > Pplease don't print this e-mail unless you really need to. > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
