OSNews: http://www.osnews.com/story/24003/Firesheep_Countermeasure_Tool_BlackSheep Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Wed, 22 May 2013 12:36:58 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Comment by satan666 http://www.osnews.com/thread?449086 http://www.osnews.com/thread?449086 Then they will create anther extension called PinkSheep that will detect BlackSheep and will circumvent it.
What we really need is a wolf. Mon, 08 Nov 2010 17:09:00 GMT donotreply@osnews.com (satan666) Comments RE: Comment by satan666 http://www.osnews.com/thread?449096 http://www.osnews.com/thread?449096 A wolf in sheep’s clothing, or the kind that dresses up in women’s clothing? Mon, 08 Nov 2010 17:36:00 GMT donotreply@osnews.com (Kroc) Comments A slow acting alarm as countermeasure? http://www.osnews.com/thread?449097 http://www.osnews.com/thread?449097 It only sends the fake stuff every 5 minutes so could be countered by adding a window to firesheep.

It also doesn't stop a hijacked session, so you get hijacked and see later that firesheep is running somewhere - now you have to logout in the interim and hope nothing bad happened.

If they aren't using IP verification, I can use a VPN tunnel for the transmissions and blacksheep would not see them. Mon, 08 Nov 2010 17:40:00 GMT donotreply@osnews.com (tomz) Comments Yeah, cuz that makes you safe... http://www.osnews.com/thread?449110 http://www.osnews.com/thread?449110 What moron thinks that because they have a plugin in their browser that detects someone else using a plugin in their browser, that somehow they're no longer leaking sensitive data over a public network.

Treating the symptom doesn't fix the problem... but I suppose it allows people to sleep at night in ignorance. Mon, 08 Nov 2010 18:41:00 GMT donotreply@osnews.com (umccullough) Comments RE: You mean... http://www.osnews.com/thread?449115 http://www.osnews.com/thread?449115 The internet is not all on my hard drive? You know the one on my desk?

Yeah, that big black and tan box that has my automatic pullout cup holder!

Where did my refrigerator magnet get to that holds my backup 8" floppy disk to my steel fire proof filing cabinet? Mon, 08 Nov 2010 19:19:00 GMT donotreply@osnews.com (gfolkert) Comments Required SSL http://www.osnews.com/thread?449121 http://www.osnews.com/thread?449121 In today's world, I think any site that handles any personal information (other than name, and timezone) should require at least simple SSL encryption.

Sites using phpbb, Wordpress, etc since they ususally only store name, IP, and timezone info can be exempt.

These site should be forced IMO. (at least parts of the site once you are logged in)
Shopping sites (Amazon.com), WebMail (Hotmail, Google), Banks/Financial, social sites (Facebook).

Unfortunately even using Facebook Pro Secure is iffy, sometimes it still uses normal http.
http://userscripts.org/scripts/show/49079Edited 2010-11-08 20:13 UTC Mon, 08 Nov 2010 20:11:00 GMT donotreply@osnews.com (robojerk) Comments RE[2]: You mean... http://www.osnews.com/thread?449123 http://www.osnews.com/thread?449123 You can download the Internet here: http://thepiratebay.org/torrent/5923737/Geocities_-_The_Torrent It's just 640 GB! Mon, 08 Nov 2010 20:49:00 GMT donotreply@osnews.com (Kroc) Comments RE: Required SSL http://www.osnews.com/thread?449124 http://www.osnews.com/thread?449124 The reason so few use SSL on their sites is the brain-dead stupid business model of SSL certs. Tying identity to encryption is a misdirection. Encryption should not require identity. SSL certs are expensive and simply don't prove anything useful.

Developers are not the problem. It's the CAs and the browser vendors. Producing scary errors on self-signed certs protects absolutely bloody nobody and locks password protection to the SSL racket. Mon, 08 Nov 2010 20:57:00 GMT donotreply@osnews.com (Kroc) Comments RE[3]: You mean... http://www.osnews.com/thread?449142 http://www.osnews.com/thread?449142 Heh, reminds me of this, click to see how OSNews would look if it had been hosted on geocities:

http://wonder-tonic.com/geocitiesizer/content.php?theme=2&music... Mon, 08 Nov 2010 22:27:00 GMT donotreply@osnews.com (Valhalla) Comments RE[2]: Required SSL http://www.osnews.com/thread?449145 http://www.osnews.com/thread?449145
Developers are not the problem. It's the CAs and the browser vendors. Producing scary errors on self-signed certs protects absolutely bloody nobody and locks password protection to the SSL racket.


I'll agree that the entire concept of SSL certificate/encryption, with CA's and high prices, is indeed a broken system and a scam to some extent - but the "scary errors" browsers display have a valid purpose.

Given how SSL works, and how users expect it to behave, if you can't verify the certificate you're using belongs to the site you are surfing, you can't know that the encryption keys you're sharing with them haven't been tampered with by a middleman. On a public wifi network, this can be a real threat...

In any case - if I encounter a site with an "untrusted" certificate, and I don't figure it matters for that particular site (read: I'm not revealing personal information to the site), then I'll just accept it anyway.

These days, you can get a free Class 1 cert (unrevokable, single domain)... or a cheap Class 2 verification wildcard cert for like $25/year ($50 for two years) from StartCom:

http://www.startssl.com/

All major browsers accept these... so it's hard to complain about it much.Edited 2010-11-08 22:46 UTC Mon, 08 Nov 2010 22:45:00 GMT donotreply@osnews.com (umccullough) Comments RE: Required SSL http://www.osnews.com/thread?449150 http://www.osnews.com/thread?449150
In today's world, I think any site that handles any personal information (other than name, and timezone) should require at least simple SSL encryption.

Sites using phpbb, Wordpress, etc since they ususally only store name, IP, and timezone info can be exempt.

These site should be forced IMO. (at least parts of the site once you are logged in)
Shopping sites (Amazon.com), WebMail (Hotmail, Google), Banks/Financial, social sites (Facebook).


One of the reasons I've heard cited is that encrypting all communication with SSL incurs higher server load (and client for that matter - those poor cell phones have to encrypt/decrypt every request to the server).

Another thing it also limits is the ability to easily load balance cache-able resources - for example, a trick that many sites use is to farm their image or .js hosting out to other load balanced servers on different domains - which would require a connection to a different server, which creates a complicated security situation. I already see this often while using gmail https - my browser is constantly warning me that there are "some unsecured elements on the page"...

There are some companies that take this stuff seriously... Google for example even gives you a way to search on a public network without anyone else sniffing your search terms (except Google of course... but hey, they already know everything about you):

https://encrypted.google.com/ Mon, 08 Nov 2010 23:11:00 GMT donotreply@osnews.com (umccullough) Comments