[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...
unsolicited at swiz.ca
Tue Oct 26 19:18:03 EDT 2010
Paul Nijjar wrote, On 10/26/2010 3:26 PM:
> On Tue, Oct 26, 2010 at 01:57:17PM -0400, Khalid Baheyeldin wrote:
>> So, it is finally here.
>> We have always known that unencrypted WiFi is bad, and someone
>> can sniff the traffic and find the session cookie to the sites you login
>> to and use it to login as you.
>> Now, there is a FireFox extension that automates all that (Windows
>> and Mac OS/X only). No packet sniffing or manually editing headers.
> We are running an unauthenticated hotspot. It currently is
> unencrypted. What should we do?
Assuming by hotspot you mean public access - why do you feel you need
to do anything?
(Presumably you already have notices up "Wi-Fi in any form is
inherently insecure, use at your own risk.", you use it, you assume
the risk, no liability, yada, yada.)
- does something change here if you encrypt and put below it the
really easy password? [What's the difference between the two
situations?] (Granted, I can't sniff your session cookie easily under
any form of encryption, but open is open.)
At what point do your, or your perceived prudent, responsibilities
end, and the user's begins?
If you have a public access hotspot, do you not become an ISP, and
since we are unable to hold their feet to their fire, for e.g. spam,
why do you perceive yourself to be different?
More information about the kwlug-disc_kwlug.org