[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...
kb at 2bits.com
Tue Oct 26 17:09:49 EDT 2010
On Tue, Oct 26, 2010 at 3:26 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:
> On Tue, Oct 26, 2010 at 01:57:17PM -0400, Khalid Baheyeldin wrote:
> > So, it is finally here.
> > We have always known that unencrypted WiFi is bad, and someone
> > can sniff the traffic and find the session cookie to the sites you login
> > to and use it to login as you.
> > Now, there is a FireFox extension that automates all that (Windows
> > and Mac OS/X only). No packet sniffing or manually editing headers.
> We are running an unauthenticated hotspot. It currently is
> unencrypted. What should we do?
> My inclination is to enable WPA with a super-dumb passphrase. If
> everybody knows the WPA passphrase then am I offering any protection?
I am no expert on wireless encryption, but I think enabling WPA with a
weak password is enough to protect against site login hijacking.
The reason I think this is the case is that traffic is encrypted and
sniffers will not be able to see plain text traffic that enables this kind
> Expecting everybody to use SSL is unreasonable in this context. Yes, I
> know that this is what people *should* do, but I live in the real
> world, not the fairy land where people do what they should.
Even if people wanted to, not all servers do have SSL, so that limits this
as a solution.
Khalid M. Baheyeldin
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kwlug-disc