[liberationtech] Firesheep: Making the Complicated Trivial

Frank Corrigan email at franciscorrigan.com
Tue Oct 26 16:12:08 PDT 2010 

Debate on Hacker News: Is Firesheep a useful demonstration of security
flaws or a dangerous hack?
327 comments
http://news.ycombinator.com/item?id=1827928
Via: https://twitter.com/WhatTheyKnow

Protecting journalists from Firesheep
https://cpj.org/internet/2010/10/protecting-journalists-from-firesheep.php


HTTPS Everywhere
https://www.eff.org/https-everywhere

Force-TLS
https://addons.mozilla.org/en-US/firefox/addon/12714/

Frank

PS:  This blog post wrongly suggests passwords can be stolen with
firesheep:

Firesheep: The cute, new password stealer
http://voices.washingtonpost.com/blog-post/2010/10/firesheep_the_cute_new_all-in-.html

----- Original message -----
From: "Chris Palmer" <chris at eff.org>
To: "Douglas Finley" <dafinley at gmail.com>
Cc: "Frank Corrigan" <email at franciscorrigan.com>,
liberationtech at lists.stanford.edu
Date: Tue, 26 Oct 2010 11:38:23 -0700
Subject: Re: [liberationtech] Firesheep: Making the Complicated Trivial

On Oct 26, 2010, at 9:55 AM, Douglas Finley wrote:

> Would this http://pajhome.org.uk/crypt/md5/ help.

Do you mean, does it help to obscure passwords over an otherwise
unauthenticated and non-confidential network channel? No. Note that
Firesheep steals cookies, not passwords; the lesson is that you need to
protect the entirety of your communications with the remote peer. The
best available solution for web applications is for site operators to
correctly use HTTPS.

> But including permanent ssl, would showing the user the list of other IP that are logged in (like Gmail)
> and allowing them to login them out.  Or even a mode in applications that only allows one logged in user 
> at a time...assuming firesheep only works once the victim has logged in once.
> They would still steal the cookies, but they couldn't login two the site could they..or if they're on the same
> wi-fi router would they appear as the same user?

I'd rather just have secure channels to web apps that manage sessions
correctly. Why waste time with half-measures?

Depending on the application and on users' expectations, allowing one
login at a time and having a "You last logged in from IP... at time..."
feature can be fine ideas. But they are not solutions to the session
hijacking problem.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation

More information about the liberationtech mailing list