Sl@pSh0ck™ Posted October 27, 2010 Share Posted October 27, 2010 When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.<br /><br />It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.<br /><br />This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.<br /><br />Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.Read moreInstall Link to comment Share on other sites More sharing options...
tipo Posted October 27, 2010 Share Posted October 27, 2010 nice article! thanks Link to comment Share on other sites More sharing options...
henz Posted October 27, 2010 Share Posted October 27, 2010 the xpi size 2.9 MBbigger than common ff extension :) Link to comment Share on other sites More sharing options...
Sl@pSh0ck™ Posted October 28, 2010 Author Share Posted October 28, 2010 Please use this one for testing purposes only ... don't f%ck up somebody else s facebook or twitter etc. account ... this is designed as a wake up call to some websites that don't implement secured login for their users. Link to comment Share on other sites More sharing options...
RadioActive Posted October 28, 2010 Share Posted October 28, 2010 What I'd like to know, does this work on secured WiFi (WPA/PSK..etc)? Or only on unsecured ones? Link to comment Share on other sites More sharing options...
henz Posted October 28, 2010 Share Posted October 28, 2010 the article said The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.i don't think this will be open/ secured wireless related. Link to comment Share on other sites More sharing options...
Drolz Posted October 29, 2010 Share Posted October 29, 2010 :thumbsup: great info Link to comment Share on other sites More sharing options...
malakai1911 Posted November 2, 2010 Share Posted November 2, 2010 Use the following to defeat Firesheep in public places (with either Firefox or Firefox Portable):To make your browsing sessions happen over SSL (on some, not all websites):ForceTLS or HTTPS Everywhere(HTTPS Everywhere is a little easier to use and more install and go, ForceTLS is more of a power user add-on, as it requires manual rulemaking).and SSL for your Search Bar:SSL Search Bar Add-onsNot all sites will work, but this will be good enough for many (Google, Facebook, Twitter, Wikipedia, and others). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.