LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 5, 2010 8:52 UTC (Fri) by ekj (guest, #1524)
In reply to: Gathering session cookies with Firesheep by gerv
Parent article: Gathering session cookies with Firesheep

By "X is more secure than Y" I mean that the set of attacks that work against X, is smaller than the set of attacks that work against Y.

A protocol that is protected against passive eavesdropping, is thus more secure than a protocol which isn't.

Arguing that self-signed-https is NOT more secure than plain http, is precisely analogous to arguing that ssh is not more secure than telnet.

Running active MITM-attacks is actually more difficult, more costly and more likely to be discovered than merely sniffing plaintext-traffic that passes by. Thus defending against passive listening-attacks, is better than doing nothing at all.

ssh is, infact, more secure than telnet.

I agree that Joe Public can't be trained to evaluate the danger of a changed certificate - but (and this is a big but) even if he cannot - how does that make him worse off, compared to http ?

Yes, true. Joe Public won't notice active man-in-the-middle attacks when the site uses self-signed https. But that is ALSO true of plain http.
The browsers, effectively, claim that "self-signed https is MORE dangerous than plain http"

If we where arguing which is more secure of externally-signed and self-signed, then we'd agree: externally-signed is better for foiling man-in-the-middle.

But that's not my argument !

My argument is that self-signed-https is superior to plain http. And thus it's insane to put scary warnings on it, which are absent from http.

http is WORST. self-signed https is BETTER. externally-signed https is *BEST*

(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 8, 2010 17:06 UTC (Mon) by gerv (subscriber, #3376) [Link]

I agree that Joe Public can't be trained to evaluate the danger of a changed certificate - but (and this is a big but) even if he cannot - how does that make him worse off, compared to http ?

Because if you make him used to dismissing changed-cert warnings, he'll also dismiss them when it's using CA-based HTTPS. Which makes him a lot worse off, because he'll get MITMed when accessing his bank.

Gerv

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds