A developer has released a Firefox extension that illustrates just how vulnerable users of open wireless networks are when they log into websites that rely on cookies for authentication. It is well understood that cookies sent over insecure connection can easily be captured and replayed to allow a mischief maker or hacker to log …
Woo, I just get to copy-paste my response to django-users!
CSRF protects you from a 3rd party web site maliciously enticing a user to initiate data changing requests to your site. It does nothing to protect a user from having their cookies jacked by a 3rd party user, and then stopping that user from maliciously using the credentials inferred from those cookies.
That this is even news is surprising - it's hardly a new attack vector. The only new thing about it is it being hooked up to a web browser and showing live feeds of what is happening, which has probably opened the eyes of people who didn't think about it before.
It's like saying 'Oh wow, you can see in plain text peoples emails on unsecured wifi networks' - well, durr, its a plain text protocol, and the whole 'unsecured nework' bit should probably give it away...
If you don't want this to happen, then force the use of SSL throughout your site, and don't hand out session cookies over HTTP.
Er, the kettle should fix this. Even if you're not using cookies for authentication---
Not using cookies?
Check your cookies.
El Reg knows exactly who I am (says "Hi <name>" at the top of the page) and this is before giving a name/password to post, and after having rebooted my Livebox *again* so a different IP... I bet it is related to the largish number of cookies from this domain. While you could argue that I need to log in to interact with the site, it isn't https so if the cookies can be snarfed, so to could the password info.
On the plus side, the Livebox has a rather enthusiastic firewall. Two WiFi'd machines here cannot ping each other even though they're on the same intranet. Makes pushing files around a tad complicated, but then it means a compromised machine won't get far in attacking anything else.
"known on the web as HTTPS or SSL"
I concede that SSL is probably still more prevalent, but are you really ignoring TLS? It's hardly an immature replacement for SSL...
"El Reg knows exactly who I am (says "Hi <name>" at the top of the page) and this is before giving a name/password to post, and after having rebooted my Livebox *again* so a different IP... I bet it is related to the largish number of cookies from this domain. While you could argue that I need to log in to interact with the site, it isn't https so if the cookies can be snarfed, so to could the password info."
Because you store your cookies instead of clearing browser history,cookies, passwords on exit, doesn't mean ElReg knows all about you, it doesn't even stop the cookies trying to be replicated. The IP doesn't determine whether or not you get a cookie, and nor does https prevent session hijacking, just makes it harder, and nor does ssl, plenty of evidence of hotmail accounts being hijacked freely available, but not from Win Live who won't admit, and they wouldn't really would they, not the best advertising for your own product really.
Way to go is surely VPN, if you're worried to that extent, I'm not sure how much value you could actually put on ElReg's forum account, easily replaced if you must, and surely the biggest threat is editorial license to adjust your postings.
Has firesheep xpi been checked for security?
I'm a bit reluctant to install a Firefox add-on designed to exploit vulnerabilities unless some experts have checked it to make sure it (1) isn't introducing any by accident and (2) doesn't contain any trojan stuff.
On My Todo List
>>unless some experts have checked it
Surely everyone posting here on El Reg is completely overqualified to do so and probably reads the complete source to everything they download. I will undertake this once I finish reading Dapper Drake and get it installed. Yeah, It's taken a few years to get thru, not much plot in the middle.
Installed and rigged it up, works very well.
Easy to use than setting up filters on wireshark.
I have already had calls from clients who use our free WIFI.
Hopefully, I can increase their privacy.
- Analysis Who is the mystery sixth member of LulzSec?
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?
- Murdoch Facebook gloat: You're like my $580m, 'CRAPPY' MySpace
- Tablet? Laptop? HP does the splits with Tegra-based SlateBook x2
- NASA signs off on sampling mission to Earth-threatening asteroid