[liberationtech] Firesheep: Making the Complicated Trivial
Chris Palmer
chris at eff.org
Tue Oct 26 11:44:24 PDT 2010
On Oct 26, 2010, at 11:33 AM, Jillian C. York wrote:
> As someone relatively savvy who has actually had my password sniffed during a conference (whilst using open wi-fi), I find this incredibly troubling. I had overlooked upgrading my copy of Tweetdeck, and the version I had did not encrypt passwords. A kid at the conference, trying to prove a point, sniffed a bunch of folks' passwords; all of them were using third-party Twitter platforms that did not encrypt passwords.
So the new version of Tweetdeck uses HTTPS for its API messages but the old one didn't?
Does the new Tweetdeck correctly verify that it is connecting to the true Twitter servers?
> I was aware of the issue, but was lax in my updates. Others had no idea this was even an issue. I think that's the point at which we need to start.
Agreed. I think the most cost-effective way to address these kinds of problems are to lobby developers to engineer their products securely. A version of Tweetdeck that used HTTP should never have shipped. I prefer to put as little of the onus on users as possible, especially when the problem could be made to go away with basic security engineering.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the liberationtech
mailing list