Linked by David Adams on Mon 8th Nov 2010 16:49 UTC, submitted by HAL2001
Privacy, Security, Encryption Firesheep is a Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.
Thread beginning with comment 449121
To read all comments associated with this story, please click here.
Required SSL
by robojerk on Mon 8th Nov 2010 20:11 UTC
robojerk
Member since:
2006-01-10

In today's world, I think any site that handles any personal information (other than name, and timezone) should require at least simple SSL encryption.

Sites using phpbb, Wordpress, etc since they ususally only store name, IP, and timezone info can be exempt.

These site should be forced IMO. (at least parts of the site once you are logged in)
Shopping sites (Amazon.com), WebMail (Hotmail, Google), Banks/Financial, social sites (Facebook).

Unfortunately even using Facebook Pro Secure is iffy, sometimes it still uses normal http.
http://userscripts.org/scripts/show/49079

Edited 2010-11-08 20:13 UTC

Reply Score: 4

RE: Required SSL
by Kroc on Mon 8th Nov 2010 20:57 in reply to "Required SSL"
Kroc Member since:
2005-11-10

The reason so few use SSL on their sites is the brain-dead stupid business model of SSL certs. Tying identity to encryption is a misdirection. Encryption should not require identity. SSL certs are expensive and simply don't prove anything useful.

Developers are not the problem. It's the CAs and the browser vendors. Producing scary errors on self-signed certs protects absolutely bloody nobody and locks password protection to the SSL racket.

Reply Parent Score: 5

RE[2]: Required SSL
by umccullough on Mon 8th Nov 2010 22:45 in reply to "RE: Required SSL"
umccullough Member since:
2006-01-26

Developers are not the problem. It's the CAs and the browser vendors. Producing scary errors on self-signed certs protects absolutely bloody nobody and locks password protection to the SSL racket.


I'll agree that the entire concept of SSL certificate/encryption, with CA's and high prices, is indeed a broken system and a scam to some extent - but the "scary errors" browsers display have a valid purpose.

Given how SSL works, and how users expect it to behave, if you can't verify the certificate you're using belongs to the site you are surfing, you can't know that the encryption keys you're sharing with them haven't been tampered with by a middleman. On a public wifi network, this can be a real threat...

In any case - if I encounter a site with an "untrusted" certificate, and I don't figure it matters for that particular site (read: I'm not revealing personal information to the site), then I'll just accept it anyway.

These days, you can get a free Class 1 cert (unrevokable, single domain)... or a cheap Class 2 verification wildcard cert for like $25/year ($50 for two years) from StartCom:

http://www.startssl.com/

All major browsers accept these... so it's hard to complain about it much.

Edited 2010-11-08 22:46 UTC

Reply Parent Score: 3

RE: Required SSL
by umccullough on Mon 8th Nov 2010 23:11 in reply to "Required SSL"
umccullough Member since:
2006-01-26

In today's world, I think any site that handles any personal information (other than name, and timezone) should require at least simple SSL encryption.

Sites using phpbb, Wordpress, etc since they ususally only store name, IP, and timezone info can be exempt.

These site should be forced IMO. (at least parts of the site once you are logged in)
Shopping sites (Amazon.com), WebMail (Hotmail, Google), Banks/Financial, social sites (Facebook).


One of the reasons I've heard cited is that encrypting all communication with SSL incurs higher server load (and client for that matter - those poor cell phones have to encrypt/decrypt every request to the server).

Another thing it also limits is the ability to easily load balance cache-able resources - for example, a trick that many sites use is to farm their image or .js hosting out to other load balanced servers on different domains - which would require a connection to a different server, which creates a complicated security situation. I already see this often while using gmail https - my browser is constantly warning me that there are "some unsecured elements on the page"...

There are some companies that take this stuff seriously... Google for example even gives you a way to search on a public network without anyone else sniffing your search terms (except Google of course... but hey, they already know everything about you):

https://encrypted.google.com/

Reply Parent Score: 2