[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Tue Oct 26 17:09:49 EDT 2010


On Tue, Oct 26, 2010 at 3:26 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:

> On Tue, Oct 26, 2010 at 01:57:17PM -0400, Khalid Baheyeldin wrote:
> > So, it is finally here.
> >
> > We have always known that unencrypted WiFi is bad, and someone
> > can sniff the traffic and find the session cookie to the sites you login
> > to and use it to login as you.
> >
> > Now, there is a FireFox extension that automates all that (Windows
> > and Mac OS/X only). No packet sniffing or manually editing headers.
>
> We are running an unauthenticated hotspot. It currently is
> unencrypted. What should we do?
>
> My inclination is to enable WPA with a super-dumb passphrase. If
> everybody knows the WPA passphrase then am I offering any protection?
>

I am no expert on wireless encryption, but I think enabling WPA with a
weak password is enough to protect against site login hijacking.

The reason I think this is the case is that traffic is encrypted and
therefore
sniffers will not be able to see plain text traffic that enables this kind
of
hijacking.


> Expecting everybody to use SSL is unreasonable in this context. Yes, I
> know that this is what people *should* do, but I live in the real
> world, not the fairy land where people do what they should.
>

Even if people wanted to, not all servers do have SSL, so that limits this
as a solution.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101026/a27fb816/attachment.htm>


More information about the kwlug-disc mailing list