This means the browser address changes to “https” and creates a secure “tunnel” during the login process, but thereafter users’ browsers return to a “http” unsecure connection while a “ browser cookie” is set to maintain the login. Not just black hats, white hats, or script kiddies. MANY websites, including Facebook today, do NOT use a “ persistent https” connection after users login. I am not a hacker, I’d classify myself as a “medio picante” geek… So how did I do this? The reason is Firesheep: A simple, easily installed FireFox extension which allows ANYONE to gain this kind of access on a shared Internet connection…. After installing the free FireFox extension FireSheep this evening at a local coffee shop, I was immediately able to gain access to the Facebook accounts, WordPress blog administrative dashboards, and other SUPPOSEDLY private, secure profiles of the following web users on different sites: I want to thank James Deaton ( on Twitter) for alerting me to this risk demonstration ( Firesheep) at OpenBeta5 last week in Oklahoma City.įor a more in-depth, geeker explanation of the problem which Firesheep exploits and dramatically demonstrates, read Glenn Fleishman’s October 28, 2010, article for BoingBoing, “ Liar, Liar, Sheep on Fire.” I’ll begin with a visual illustration. The bottom line for me is, I’m now using a commercial VPN service ( Astrill) whenever I’m connecting my laptop on any type of network (a wired hotel connection or a public wifi connection) other than one I own at my house, or via my 3G AT&T network connection. This danger is real, this is not a “Chicken Little” story, and in this post I’ll explain why. Yes, this means Facebook, at least for now until they FINALLY deploy persistent https. If you use ANY website today which requires a login but does NOT use a “ persistent https” secure connection thereafter, you’re at MAJOR risk of having your account(s) hacked if you use open, wifi hotspots in coffee shops or other locations.
This may be the most important post you’ll read on my blog from a personal, digital security standpoint.
0 kommentar(er)
