LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 11, 2010 3:57 UTC (Thu) by foom (subscriber, #14868)
In reply to: Gathering session cookies with Firesheep by filteredperception
Parent article: Gathering session cookies with Firesheep

> Isn't the only added hurdle to pulling off this attack the need to get a non-self-signed cert?

You can't get just *any* non-self-signed cert. It has to be a cert valid for the domain name the user is trying to access, signed by one of the certification authorities trusted by the browser.

And that's not a completely trivial thing to do with just a small application of money.

It's only trivial if you happen to run one of the ~500 trusted root or intermediate CAs (e.g. most major governments in the world, and a few companies besides), or have enough money to infiltrate one.

(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 11, 2010 5:24 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

that sort of thing has happened. it's been documented to happen to www.microsoft.com and there's no reason to believe that it can't happen with a bank as well.

but if you watch out for the cert changing, as opposed to just the cert existing, you cover most of that problem

Gathering session cookies with Firesheep

Posted Nov 11, 2010 5:43 UTC (Thu) by filteredperception (guest, #5692) [Link]

> You can't get just *any* non-self-signed cert. It has to be a cert valid for the domain name the user is trying to access, signed by one of the certification authorities trusted by the browser.

duh, OK, I figured I was missing something. Hmmm... Maybe the real issue is that certs cost $$ for no good reason, and that is the central issue impeding much more widespread use of https.

Gathering session cookies with Firesheep

Posted Nov 13, 2010 10:31 UTC (Sat) by gerv (subscriber, #3376) [Link]

Certs don't "cost $$ for no good reason". If all you want is a Domain Verified cert, get one from StartCom for free. And if you want an EV cert, the CA has to do a load of checks (see cabforum.org for the document listing them all) and that costs money, so you should expect to pay. Any CA can sign up to issue them, with the relevant audits, so it's not a closed market and there is competition.

Gerv

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds