[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Tue Oct 26 13:57:17 EDT 2010

So, it is finally here.

We have always known that unencrypted WiFi is bad, and someone
can sniff the traffic and find the session cookie to the sites you login
to and use it to login as you.

Now, there is a FireFox extension that automates all that (Windows
and Mac OS/X only). No packet sniffing or manually editing headers.

Suddenly, people can log in as you, whether it is Facebook, Twitter,
or other sites that you administer. All sorts of trouble here ...

This is going to become widespread simply because it is just a FireFox

More  here




The defenses against this are many, but each has pros and cons:

1. Use only encrypted WiFi (WPA/WPA2 preferred, but even WEP is
better than nothing). If there is only unencrypted WiFi, then you are
out of luck. Go to the next steps.

2. Login to all the sites you visit when logged in using SSL only (i.e.
not http://). Not all sites support SSL though.

3. Setup an SSH tunnel to a server you control, and then use that tunnel
for all your browsing.

4. Use a VPN client to a VPN server that you have setup. Android supports
several VPNs built in already (PPTP, L2TP, L2TP with IPSec PSK, L2TP with
IPSec CRT). So it is a matter of setting up the server.

5. Subscribe to a VPN provider for a monthly fee.

Anyone with experience setting up VPNs, can you please share your knowledge
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101026/726ded62/attachment.html>

More information about the kwlug-disc mailing list