Flutterby™! : Firesheep

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Firesheep

2010-10-26 15:33:24.147119+00 by Dan Lyke 10 comments

Firesheep is a Firefox plug-in that lets you sit on an open network, click a button to start looking for identifying user information, and then click on one of those identified sessions to hijack that login to a given site. Works for any site which uses simple cookies and an unencrypted HTTP stream. Like Flutterby, or Facebook, or Twitter, or...

Might be time to figure out how to go HTTPS for everything.

[ related topics: broadband ]

comments in descending chronological order (reverse):

#Comment Re: made: 2010-11-08 22:41:14.295054+00 by: meuon

+1 for TinyCA It Rocks!

#Comment Re: made: 2010-11-08 20:47:20.180202+00 by: spc476

I use TinyCA. It's easy to set up, but I do recall it took an hour or two of playing around with that, Apache and Firefox to get the self-signed certs working. It's a pretty easy interface.

#Comment Re: made: 2010-11-08 19:00:05.71619+00 by: Dan Lyke

BlackSheep is a Firefox plugin that sends fake credentials and then watches the network to see if they're being used in order to detect Firesheep use.

Thinking about running a web of trust, Sean. I need to do some self-education, and certs always end up being a pain in the ass, but maybe if I can figure out a better way to manage them than "read the howto, set something up, and then get bitten two years later when the cert expires and I don't remember how I created it any more".

#Comment Re: made: 2010-10-28 08:37:17.349884+00 by: spc476

I'd be up for a "web of trust" self signed certs. I already have my own CA (http://secure.conman.org) and a signed certificate (https://secure.conman.org/).

#Comment Re: made: 2010-10-27 22:50:58.995172+00 by: John Anderson

Dan, all good points. I mostly don't worry about the links "inside" the other side -- there's jack squat I can do about that problem, near as I can tell. The "trusted point" that I was thinking of would be back to the server in my basement -- and if that's compromised, I've got other issues.

Meuon, "Web of Trust" for self-signed certs?

#Comment Re: made: 2010-10-27 16:42:31.555062+00 by: meuon

Yeah.. It's an issue, but as it's been proven that governments have compromised the major root certs, I personally trust a self-signed one more.

Maybe the idea is a self-signed cert registry... Hmm...

#Comment Re: made: 2010-10-27 16:26:56.230242+00 by: Dan Lyke

The problem with self-signed as I understand it is that many users don't understand the concept, and it's getting harder and harder to tell Firefox (and other browsers) to STFU and accept the damned certificate already.

#Comment Re: made: 2010-10-26 16:57:49.091891+00 by: meuon [edit history]

Even a self-signed certificate makes that hard enough, I also use simple/digest auth + client browser certificates for applications. Cookie/session ID auth is just not really auth. I have one application that -can- use it, it's called "fakeauth" mode and requires a disclaimer from the IT director.

What is apropos for Flutterby and most social similiar websites? https is a minimum, even if self signed.

#Comment Re: made: 2010-10-26 16:14:12.069941+00 by: Dan Lyke [edit history]

I guess everything's a matter of risk assessment, but how much do you trust the links from any of my computers to any of my other computers to be secure from snooping?

Your work network is probably on a switch, but how much do you trust your coworkers? The keyboard jockeys in your colo?

#Comment Re: made: 2010-10-26 16:06:24.626685+00 by: John Anderson

Time to just start using SSH tunnels back to a trusted point any time you're not on a trusted network...