[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

[unsolicited]

Paul Nijjar wrote, On 10/27/2010 9:43 AM:
> On Tue, Oct 26, 2010 at 07:18:03PM -0400, unsolicited wrote:
>> Paul Nijjar wrote, On 10/26/2010 3:26 PM:
>>
>> Assuming by hotspot you mean public access - why do you feel you need to 
>> do anything?
> 
> Man. If you knew the computer proficiency of our users you would
> cringe. 
> 
> I may not have a legal responsibility to protect my users from script
> kiddies sniffing their credentials, but I am paid the big bucks to
> structure our services so that they are useful and safe. 
> 
>> - does something change here if you encrypt and put below it the really 
>> easy password? [What's the difference between the two situations?] 
>> (Granted, I can't sniff your session cookie easily under any form of 
>> encryption, but open is open.)
> 
> That is the question I am trying to resolve. Lori offered a partial
> answer. I guess I will have to dig deeper. 
> 
> I can't believe that this is not a solved problem. 

It is. Think Chapters / starbucks or William's open wi-fi - who, as 
far as I know, do nothing, use at your own risk, etc., etc.

Actually - doesn't Starbucks now need you to go to the til and get a 
key? (Equivalent to a password.)

Publicly, I expect no one wants to state their position, as any 
position will itself cause a kerfluffle. There is no right / 
acceptable answer to everyone.

Perhaps Cedric can offer insight as to the issues and links towards 
discussions on them.

I get part of your problem - you don't want to become 'the man' with 
an ISP's apparent level of callousness, however, some of their 
callousness has likely come out of simple self-defence.