User: Password:
|
|
Subscribe / Log in / New account

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 5, 2010 17:04 UTC (Fri) by Simetrical (guest, #53439)
In reply to: Gathering session cookies with Firesheep by gerv
Parent article: Gathering session cookies with Firesheep

"If you made the warnings less severe, the problems they are there to prevent would become more common."

Correct, but if you make the warnings more severe than warranted, users pay less heed to warnings generally. If the user never received a browser security warning before in their life, the first time will make them think twice. If they've seen them before and wound up going ahead and nothing bad happened, they'll come to ignore them.

Honesty might not always be the best policy, but the current policy is certainly bad. In real life we know that certain types of cert errors are much more likely to be innocuous than others -- like a cert for "www.amazon.com" on "amazon.com", vs. a large banking site using a self-signed cert. A lot of this knowledge could be wired into the browser, and the warnings could be adjusted accordingly. Attackers will realistically target mostly large e-commerce or banking sites, where they can see easy gains, so getting a list of those and stepping up the warnings there while scaling back for others would greatly increase warning accuracy.

I'm hopeful that STS will mostly solve the problem, by giving an out-of-band automated way to get a list of sites that really want to commit to using valid certs always. (Out-of-band because the real value will be when lists ship with the browser and auto-update.) In that case, non-STS sites can have their warnings greatly moderated, ideally notification bars instead of interstitials. But the existing problem is real, and could have been mitigated by the browser implementers by deploying fairly simple heuristics long before now -- when instead some have been making it worse.


(Log in to post comments)


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds