Gathering session cookies with Firesheep
Posted Nov 4, 2010 13:55 UTC (Thu) by ekj
In reply to: Gathering session cookies with Firesheep
Parent article: Gathering session cookies with Firesheep
I'm sorry, but that argument doesn't merely fail to fly, it sinks like neutronium in hot butter.
- https with a self-signed cert is MORE secure than no encryption at all.
- https with a self-signed cert causes warnings that plain http does not.
- It does not protect against man-in-the-middle, but it DOES protect fully against all passive attacks. A defence that stops *some* attacks, is better than no defence at all.
- Browsers could if they liked, save any self-signed certs and warn if they ever change -- this would stop man-in-the-middle in all cases, except those cases where your *first* visit happens to hit the mitm. (again: stopping *some* attacks is superior to stopping no attacks.)
- The practical result of making https cumbersome and expensive to use, is that people use plain http instead, this does not in ANY way benefit security.
There's a difference between "false security" and "some security" - encryption that *does* in fact stop all passive eavesdropping does not deserve to be labeled "false", despite the fact that there are *other* attacks it does not stop.
It's a 3-step ladder:
1: No protection. 2: Protection against passive attacks. 3: Protection against active attacks.
There's absolutely no rational reason to not warn in cases 1 and 3, but DO warn in case 2. Yes, I'm aware that some claim there is, but merely claiming it, doesn't make it true.
to post comments)