User: Password:
|
|
Subscribe / Log in / New account

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:12 UTC (Thu) by dlang (subscriber, #313)
In reply to: Gathering session cookies with Firesheep by quotemstr
Parent article: Gathering session cookies with Firesheep

TLS also supports multiple name-based virtual hosts with SSL

the problem is that the browsers don't all support this, so unless you are willing to reject everyone with a bad browser, this doesn't matter.


(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:14 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Rejecting IE6 has to happen sooner or later. The other major browsers support SNI.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:22 UTC (Thu) by dlang (subscriber, #313) [Link]

what about the minor browsers? (and remember to include all the browsers on phones and mobile devices)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:26 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

iOS4 and Android also support SNI. Even elinks supports it these days.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:27 UTC (Thu) by dlang (subscriber, #313) [Link]

iOS and Android are both pretty new platforms

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:30 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

They're also widely-used; many features don't work with ancient browsers anyway.

Are you really arguing that supporting a handful of users with ancient browsers is worth sacrificing everyone's privacy?

Gathering session cookies with Firesheep

Posted Nov 4, 2010 23:50 UTC (Thu) by nteon (subscriber, #53899) [Link]

according to Wikipedia, no IE on WinXP has SNI support. Thats unfortunately a large chunk of the general, internet browsing public.

Gathering session cookies with Firesheep

Posted Nov 9, 2010 14:36 UTC (Tue) by holstein (guest, #6122) [Link]

Well, that could be (another) incentive to move on to something better.

And Linux runs ususally very well on these ancient machines ;)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 9:03 UTC (Fri) by ekj (guest, #1524) [Link]

Everyone who is on XP and using IE (any version!) lives without SNI. As far as I know (it's been a while since I've used it, so possibly, this has been fixed) IIS also fails to support SNI.

A solution which is unavailable on ~25% of all webservers, and which fail to work for ~10% of all users, is not currently viable.

It seems likely this problem will go away in the future. But at the moment, it's a real problem. 5 years from now, I expect SNI will be pretty universally supported. It'll allow shared-ip-webhosts to offer https afterall, and that's a pretty major progress.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds