[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Joe Wennechuk youcanreachmehere at hotmail.com
Wed Oct 27 05:57:07 EDT 2010


Won't IP6 fix most of these structural Issues? IPSec etc...

Joseph Wennechuk

________________




Date: Tue, 26 Oct 2010 20:24:44 -0400
From: kb at 2bits.com
To: kwlug-disc at kwlug.org
Subject: Re: [kwlug-disc] Firesheep: Open WiFi cookie stealing for the	masses ...

On Tue, Oct 26, 2010 at 8:11 PM, Lori Paniak <ldpaniak at fourpisolutions.com> wrote:

On Tue, 2010-10-26 at 19:27 -0400, Khalid Baheyeldin wrote:

> SSL requires that the site owner buys a certificate, which is an added

> expense and effort to configure. It also requires that it be updated

> manually every year. Yes, you can use self signed certificates, but

> major browsers complain with a really scary

> warning if you use those.



> The other issue is that SSL on the server eats up a bit more CPU for

> the encryption than plain text HTTP.

>

> And it is one of these things that if everyone did it, all is well. If

> a few major sites don't, then it is less than useful. Compare that to

> PGP keys for signing emails. Only a few people use them.

>

> Remember that HTTP is not the only traffic that you will do on a

> typical desktop, or smartphone. If you are on IRC, or using Instant

> Messaging (e.g. Jabber), then probably you are unencrypted too.

>

> A VPN solves all this in one swoop, for an added performance penalty

> (a little bit of CPU, plus the lag from/to the VPN) and perhaps added

> expense too (either setup your own, or pay for a service).

> --



I disagree.  This is a structural problem that needs to be solved on the

server end, not the client end.  A little extra work and expense (less

than the price of hosting?) is much less work and expense than each and

every user stringing their own VPN proxy.  Not to mention the users who

don't know what VPN means.  Maybe sites like Facebook should use their

piles of cash to hire some people who know something about securing

websites (like 2bits!).

How would Facebook solving this for their own site solve it for the average

user having his password sniffed when they connect to Gtalk via Jabber?
 


Additional motivation for major sites to get their SSL act together

would be boycotts of those that exchange credentials in clear text.

Did that ever make the adoption of PGP for email pick up? Beyond us
geeks having key signing parties, it is barely known elsewhere.


Is it recognized by Yahoo Mail, Hotmail and Gmail?


The VPN solution is not going to be effective for real-time

communications like VoIP or video (though there are other solutions

there). Additionally, browsing the internet through your home VPN server

is not particularly pleasant due to the <600kbps bottleneck on uploads

from home.

It is usable indeed.

Companies who provide VPN services are making good money providing
VPN services for those in countries that block Skype (e.g. UAE, Thailand,
and others).


I personally know a few people who use VPN just for that reason.

Yes, there is a performance penalty, but it does not make VoIP unusable.



I don't see eavesdropping on conversations as being (as big) a problem

as stealing and spoofing ID.  Having definite attribution is more

important than content.

That is the main issue: stealing credentials. That new Firefox extension
just make it so that any script kiddie can use it at any cafe or any university.
 


Bottom line: VPN is a band-aid that does not solve the underlying

problem and just lets it get worse.

If you are at home, on a secured WiFi or wired network, things are probably
OK. They have been for a while. The urgent need is open WiFi as an attack
vector for credentials that are sent over the wire.


A VPN solves this for both notebooks as well as smartphones in a cafe.
 
Until all sites (and services) everywhere move to SSL that is ...



Enough editorializing - time for a practical question: how secure is the

kwlug site?  How can it be improved?  At what cost?  (Sounds like a new

thread)

Yes, new thread.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.

Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci


_______________________________________________
kwlug-disc_kwlug.org mailing list
kwlug-disc_kwlug.org at kwlug.org
http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101027/e4f18483/attachment.htm>


More information about the kwlug-disc mailing list