User: Password:
|
|
Subscribe / Log in / New account

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 5, 2010 16:18 UTC (Fri) by gerv (subscriber, #3376)
In reply to: Gathering session cookies with Firesheep by Simetrical
Parent article: Gathering session cookies with Firesheep

In a comment on my blog, Cormac Herley rowed back somewhat from the position outlined in those paragraphs you quote.

He wrote: "[That line] was being a little provocative :-) The point I wanted to make is that the user has never seen anything to suggest that the annoyances are there for a purpose. That said, so many of the emails and comments I’ve got have flagged this line that it’s clear I should have worded it better. I completely agree that even 100% false positives doesn’t mean we can get rid of the technology."

If you made the warnings less severe, the problems they are there to prevent would become more common.

Gerv


(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 17:04 UTC (Fri) by Simetrical (guest, #53439) [Link]

"If you made the warnings less severe, the problems they are there to prevent would become more common."

Correct, but if you make the warnings more severe than warranted, users pay less heed to warnings generally. If the user never received a browser security warning before in their life, the first time will make them think twice. If they've seen them before and wound up going ahead and nothing bad happened, they'll come to ignore them.

Honesty might not always be the best policy, but the current policy is certainly bad. In real life we know that certain types of cert errors are much more likely to be innocuous than others -- like a cert for "www.amazon.com" on "amazon.com", vs. a large banking site using a self-signed cert. A lot of this knowledge could be wired into the browser, and the warnings could be adjusted accordingly. Attackers will realistically target mostly large e-commerce or banking sites, where they can see easy gains, so getting a list of those and stepping up the warnings there while scaling back for others would greatly increase warning accuracy.

I'm hopeful that STS will mostly solve the problem, by giving an out-of-band automated way to get a list of sites that really want to commit to using valid certs always. (Out-of-band because the real value will be when lists ship with the browser and auto-update.) In that case, non-STS sites can have their warnings greatly moderated, ideally notification bars instead of interstitials. But the existing problem is real, and could have been mitigated by the browser implementers by deploying fairly simple heuristics long before now -- when instead some have been making it worse.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds