[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

unsolicited unsolicited at swiz.ca
Tue Oct 26 19:18:03 EDT 2010


Paul Nijjar wrote, On 10/26/2010 3:26 PM:
> On Tue, Oct 26, 2010 at 01:57:17PM -0400, Khalid Baheyeldin wrote:
>> So, it is finally here.
>>
>> We have always known that unencrypted WiFi is bad, and someone
>> can sniff the traffic and find the session cookie to the sites you login
>> to and use it to login as you.
>>
>> Now, there is a FireFox extension that automates all that (Windows
>> and Mac OS/X only). No packet sniffing or manually editing headers.
> 
> We are running an unauthenticated hotspot. It currently is
> unencrypted. What should we do?

Assuming by hotspot you mean public access - why do you feel you need 
to do anything?

(Presumably you already have notices up "Wi-Fi in any form is 
inherently insecure, use at your own risk.", you use it, you assume 
the risk, no liability, yada, yada.)

- does something change here if you encrypt and put below it the 
really easy password? [What's the difference between the two 
situations?] (Granted, I can't sniff your session cookie easily under 
any form of encryption, but open is open.)

At what point do your, or your perceived prudent, responsibilities 
end, and the user's begins?

If you have a public access hotspot, do you not become an ISP, and 
since we are unable to hold their feet to their fire, for e.g. spam, 
why do you perceive yourself to be different?




More information about the kwlug-disc mailing list