[liberationtech] Firesheep: Making the Complicated Trivial
Douglas Finley
dafinley at gmail.com
Tue Oct 26 11:43:17 PDT 2010
Thank you. Thank you. Thank you.
This listserv is about a million times better than Google.
Instant smart people who answer fully.
As annoying as getting the emails everyday are, I read just about every one.
On Tue, Oct 26, 2010 at 1:38 PM, Chris Palmer <chris at eff.org> wrote:
> On Oct 26, 2010, at 9:55 AM, Douglas Finley wrote:
>
> > Would this http://pajhome.org.uk/crypt/md5/ help.
>
> Do you mean, does it help to obscure passwords over an otherwise
> unauthenticated and non-confidential network channel? No. Note that
> Firesheep steals cookies, not passwords; the lesson is that you need to
> protect the entirety of your communications with the remote peer. The best
> available solution for web applications is for site operators to correctly
> use HTTPS.
>
> > But including permanent ssl, would showing the user the list of other IP
> that are logged in (like Gmail)
> > and allowing them to login them out. Or even a mode in applications that
> only allows one logged in user
> > at a time...assuming firesheep only works once the victim has logged in
> once.
> > They would still steal the cookies, but they couldn't login two the site
> could they..or if they're on the same
> > wi-fi router would they appear as the same user?
>
> I'd rather just have secure channels to web apps that manage sessions
> correctly. Why waste time with half-measures?
>
> Depending on the application and on users' expectations, allowing one login
> at a time and having a "You last logged in from IP... at time..." feature
> can be fine ideas. But they are not solutions to the session hijacking
> problem.
>
>
> --
> Chris Palmer
> Technology Director, Electronic Frontier Foundation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20101026/84542e2b/attachment.html>
More information about the liberationtech
mailing list