[liberationtech] Firesheep: Making the Complicated Trivial

[Frank Corrigan]

Recognising that the real issue at play is the lack of https enabled websites, the item below goes over the cost and technical issues of implementing SSL/TLS.

Overclocking SSL (25 Jun 2010)
If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. 
You too can afford to enable HTTPS for your users.
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

It has already been noted that the firefox add-ons https everywhere and force-tls are good countermeasures. I have only just realised that the firefox add-on NoScript also has an options tab that allows for https to be forced, as well as it's"... pre-emptive script blocking"

https://www.eff.org/https-everywhere
http://forcetls.sidstamm.com/
http://noscript.net/

Forcing HTTPS with NoScript
http://hackademix.net/2010/10/27/forcing-https-with-noscript/

This blog post also highlights that forcing https on *.twitter.com does not appear to prevent FireSheep data capture.

The obvious implication here is that ForceTLS isn't stopping XmlHttp requests from being unencrypted. 
http://erratasec.blogspot.com/2010/10/re-firesheep.html

Mozilla is introducing HTTP Strict-Transport-Security with firefox 4.

Cooling Down the Firesheep
http://blog.mozilla.com/security/2010/10/27/cooling-down-the-firesheep/

HTTP Strict Transport Security
The folks over at PayPal are serving a Strict-Transport-Security header, if you’d like to check it out.
http://blog.mozilla.com/security/2010/08/27/http-strict-transport-security/

HTTP Strict Transport Security has landed!
http://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html

On a lighter note, check out how a member of the Public responds to a mobile CCTV camera or two!
http://www.bigbrotherwatch.org.uk/home/2010/10/angry-resident-abuses-cctv-car-driver-and-puts-cover-over-his-camera.html

Frank