[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Wed Oct 27 20:37:02 EDT 2010


On Wed, Oct 27, 2010 at 8:33 PM, Raul Suarez <rarsa at yahoo.com> wrote:

> --- On Tue, 10/26/10, Lori Paniak <ldpaniak at fourpisolutions.com> wrote:
> > Additional motivation for major sites to get their SSL act together
> > would be boycotts of those that exchange credentials in clear text.
>
> The way I understood it is that it is not the credentials that are captured
> but the identity stored in a cookie.
>

Yes.

Most applications have a cookie that identifies a session, and that in turn
is associated with a certain user who is logged on.


> Many sites encrypt the login but once authenticated the rest is
> unencrypted.
>

Yes.

The login page would be https, but the rest of the pages would be http.

This scheme is no longer of value.

Once you have the identity key, your browser can impersonate the session and
> get the access the other browser has.
>

Exactly.


> For the other people that have followed this up, Am I right?
>

Yes. It means they hijack your session cookie and effectively login as you,
and have the same privileges as you.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20101027/01c9f59f/attachment.html>


More information about the kwlug-disc_kwlug.org mailing list