Firesheep flames cookie capture risks A developer has released a Firefox extension that illustrates just how vulnerable users of open wireless networks are when they log into websites that rely on cookies for authentication. It is well understood that cookies sent over insecure connection can easily be captured and replayed to allow a mischief maker or hacker to …
CSRF protects you from a 3rd party web site maliciously enticing a user to initiate data changing requests to your site. It does nothing to protect a user from having their cookies jacked by a 3rd party user, and then stopping that user from maliciously using the credentials inferred from those cookies.
That this is even news is surprising - it's hardly a new attack vector. The only new thing about it is it being hooked up to a web browser and showing live feeds of what is happening, which has probably opened the eyes of people who didn't think about it before.
It's like saying 'Oh wow, you can see in plain text peoples emails on unsecured wifi networks' - well, durr, its a plain text protocol, and the whole 'unsecured nework' bit should probably give it away...
If you don't want this to happen, then force the use of SSL throughout your site, and don't hand out session cookies over HTTP.
Check your cookies.
El Reg knows exactly who I am (says "Hi <name>" at the top of the page) and this is before giving a name/password to post, and after having rebooted my Livebox *again* so a different IP... I bet it is related to the largish number of cookies from this domain. While you could argue that I need to log in to interact with the site, it isn't https so if the cookies can be snarfed, so to could the password info.
On the plus side, the Livebox has a rather enthusiastic firewall. Two WiFi'd machines here cannot ping each other even though they're on the same intranet. Makes pushing files around a tad complicated, but then it means a compromised machine won't get far in attacking anything else.
"El Reg knows exactly who I am (says "Hi <name>" at the top of the page) and this is before giving a name/password to post, and after having rebooted my Livebox *again* so a different IP... I bet it is related to the largish number of cookies from this domain. While you could argue that I need to log in to interact with the site, it isn't https so if the cookies can be snarfed, so to could the password info."
Because you store your cookies instead of clearing browser history,cookies, passwords on exit, doesn't mean ElReg knows all about you, it doesn't even stop the cookies trying to be replicated. The IP doesn't determine whether or not you get a cookie, and nor does https prevent session hijacking, just makes it harder, and nor does ssl, plenty of evidence of hotmail accounts being hijacked freely available, but not from Win Live who won't admit, and they wouldn't really would they, not the best advertising for your own product really.
Way to go is surely VPN, if you're worried to that extent, I'm not sure how much value you could actually put on ElReg's forum account, easily replaced if you must, and surely the biggest threat is editorial license to adjust your postings.
This post has been deleted by its author
>>unless some experts have checked it
Surely everyone posting here on El Reg is completely overqualified to do so and probably reads the complete source to everything they download. I will undertake this once I finish reading Dapper Drake and get it installed. Yeah, It's taken a few years to get thru, not much plot in the middle.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
