[liberationtech] Firesheep: Making the Complicated Trivial
Chris Palmer
chris at eff.org
Tue Oct 26 11:38:23 PDT 2010
On Oct 26, 2010, at 9:55 AM, Douglas Finley wrote:
> Would this http://pajhome.org.uk/crypt/md5/ help.
Do you mean, does it help to obscure passwords over an otherwise unauthenticated and non-confidential network channel? No. Note that Firesheep steals cookies, not passwords; the lesson is that you need to protect the entirety of your communications with the remote peer. The best available solution for web applications is for site operators to correctly use HTTPS.
> But including permanent ssl, would showing the user the list of other IP that are logged in (like Gmail)
> and allowing them to login them out. Or even a mode in applications that only allows one logged in user
> at a time...assuming firesheep only works once the victim has logged in once.
> They would still steal the cookies, but they couldn't login two the site could they..or if they're on the same
> wi-fi router would they appear as the same user?
I'd rather just have secure channels to web apps that manage sessions correctly. Why waste time with half-measures?
Depending on the application and on users' expectations, allowing one login at a time and having a "You last logged in from IP... at time..." feature can be fine ideas. But they are not solutions to the session hijacking problem.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the liberationtech
mailing list