Gathering session cookies with Firesheep

Posted Nov 8, 2010 17:06 UTC (Mon) by gerv (guest, #3376)
In reply to: Gathering session cookies with Firesheep by ekj
Parent article: Gathering session cookies with Firesheep

I agree that Joe Public can't be trained to evaluate the danger of a changed certificate - but (and this is a big but) even if he cannot - how does that make him worse off, compared to http ?

Because if you make him used to dismissing changed-cert warnings, he'll also dismiss them when it's using CA-based HTTPS. Which makes him a lot worse off, because he'll get MITMed when accessing his bank.

Gerv