User: Password:
Subscribe / Log in / New account

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 10, 2010 6:21 UTC (Wed) by ekj (guest, #1524)
In reply to: Gathering session cookies with Firesheep by gerv
Parent article: Gathering session cookies with Firesheep

The thing is, it's a strawman, because an ordinary https-certificate, even one that's signed by a CA, is *also* not considered good enough for a bank, and infact, atleast where I live (Norway) I'm fairly sure no bank goes without extended validation or whatever it's named.

That causes significant and clear gui-changes, namely a large green bar stating the name of the institution.

In contrast, https causes a tiny grey padlock to appear in the bottom-right corner, next to the Sync-icon, which is pretty close to totally nonvisible.

Yes, I get the point that https:-self-signed has an identical url to https:-with-certificate and that thus users with bookmarks is at risk. (few users enter the url with https: Joe Public has by this time LONG gotten used to not typing http(s):// instead if they enter the address at all, they go for "". That often redirects to but I don't think a large fraction of users would notice if it stopped doing that.

AND - and that's my most significant point: The question isn't if a change would cause harm. The question is if the benefits would outweigh the harm, or vice versa. One practical consequence of the current situation, is that self-signed, is essentially not-usable. And encryption of any sort whatsoever is, essentially, not available for everyone hosting a simple website on a shared-ip-address which means probably 95% of the websites in the world.

The practical result of this decision, despite being made for reasons of security -- is that nearly all websites have no encryption whatsoever.

(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 10, 2010 7:32 UTC (Wed) by dlang (subscriber, #313) [Link]

you would be surprised at how many banks don't use EV certs.

and frankly, I don't blame them. In many ways the EV certs are a way for a cartel of cert providers to be able to charge $1500/cert and cut outtheir competition that has ruined their prior scam of $900 for a 128 bit cert and $250 for a cert that would drop to 40 bits if a export browser connected to it (not that there are any of those around anyway)

the amount of real checking done is still not that much.

Gathering session cookies with Firesheep

Posted Nov 10, 2010 8:29 UTC (Wed) by anselm (subscriber, #2796) [Link]

There is nothing special about EV certificates except their extortionate price tag and the fact that they have a magic flag set which will cause the site name to show up on a green background in the browser. You don't get to produce your own EV certificates the way you can produce ordinary certificates (e.g., using OpenSSL) because the magic flag is CA-specific, and browsers that support EV certificates contain a hard-coded list of the CAs which are part of the EV certificate cartel and their corresponding magic flags.

Basically, for EV certificates, the CAs that are in on the game promise that they will actually do the sort of checking they should have been doing for all certificates in the first place. That is, somebody applying for an EV certificate for an entity will have to prove that the entity really exists at the specified address. This is then used to justify a vastly increased price for the certificate.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds