User: Password:
|
|
Subscribe / Log in / New account

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 4, 2010 4:28 UTC (Thu) by quotemstr (subscriber, #45331)
In reply to: Gathering session cookies with Firesheep by JohnLenz
Parent article: Gathering session cookies with Firesheep

First of all, the server would need to keep a lot of state to prevent replay attacks. Second, attackers can still sniff connections and obtain a great deal of personal information. It'd be less effort to just bite the bullet and use SSL, which has many advantages besides preventing session hijacking. SSL isn't even all that bad for performance if configured properly.

It's really amazing to watch people jump through intellectual hoops to justify not protecting their users with SSL.


(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 13:47 UTC (Thu) by robert_s (subscriber, #42402) [Link]

"It's really amazing to watch people jump through intellectual hoops to justify not protecting their users with SSL."

Jump through intellectual hoops?

How about not being able to use virtualhosts with HTTPS? A huge number (the vast majority I would say) of sites on the web use virtualhosts. I wonder how quickly IPv4 would be exhausted if we all started using HTTPS and needed individual IPs for our websites.

On top of that, once we start using HTTPS, most of our lovely tiered caching mechanisms become unusable. All requests will have to be served fully.

There are plenty of real problems with switching everything to HTTPS, intellectual hoops are not needed.

I was also thinking of something along the lines of JohnLenz. It would probably need a browser HTTP extension so the contents of the full request could be signed against a timestamp of some sort rather than using a sequentially-shifting key.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 16:33 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

How about not being able to use virtualhosts with HTTPS? A huge number (the vast majority I would say) of sites on the web use virtualhosts. I wonder how quickly IPv4 would be exhausted if we all started using HTTPS and needed individual IPs for our websites.
Server Name Indication.
On top of that, once we start using HTTPS, most of our lovely tiered caching mechanisms become unusable. All requests will have to be served fully.

Clients cache requests served over SSL just fine. Gateway machines can translate SSL traffic into something before sending it to a reverse proxy or load-balancing it. CDNs also support SSL these days.

You are jumping through intellectual hoops to justify your hostility toward SSL. A modicum of research would have uncovered these solutions. Continuing to risk user privacy merely to save a few CPU cycles is just unacceptable. Network hardware never gets tired. CPU cycles are cheap. Real people have actual sensitive information crucial to their physical and emotional well-being. I can't believe people prefer the former to the latter.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:12 UTC (Thu) by dlang (subscriber, #313) [Link]

TLS also supports multiple name-based virtual hosts with SSL

the problem is that the browsers don't all support this, so unless you are willing to reject everyone with a bad browser, this doesn't matter.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:14 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Rejecting IE6 has to happen sooner or later. The other major browsers support SNI.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:22 UTC (Thu) by dlang (subscriber, #313) [Link]

what about the minor browsers? (and remember to include all the browsers on phones and mobile devices)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:26 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

iOS4 and Android also support SNI. Even elinks supports it these days.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:27 UTC (Thu) by dlang (subscriber, #313) [Link]

iOS and Android are both pretty new platforms

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:30 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

They're also widely-used; many features don't work with ancient browsers anyway.

Are you really arguing that supporting a handful of users with ancient browsers is worth sacrificing everyone's privacy?

Gathering session cookies with Firesheep

Posted Nov 4, 2010 23:50 UTC (Thu) by nteon (subscriber, #53899) [Link]

according to Wikipedia, no IE on WinXP has SNI support. Thats unfortunately a large chunk of the general, internet browsing public.

Gathering session cookies with Firesheep

Posted Nov 9, 2010 14:36 UTC (Tue) by holstein (guest, #6122) [Link]

Well, that could be (another) incentive to move on to something better.

And Linux runs ususally very well on these ancient machines ;)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 9:03 UTC (Fri) by ekj (guest, #1524) [Link]

Everyone who is on XP and using IE (any version!) lives without SNI. As far as I know (it's been a while since I've used it, so possibly, this has been fixed) IIS also fails to support SNI.

A solution which is unavailable on ~25% of all webservers, and which fail to work for ~10% of all users, is not currently viable.

It seems likely this problem will go away in the future. But at the moment, it's a real problem. 5 years from now, I expect SNI will be pretty universally supported. It'll allow shared-ip-webhosts to offer https afterall, and that's a pretty major progress.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds