Oct 25, 2010


I just discovered a Firefox plugin called FireSheep, which sniffs the local wireless network for session cookies to common sites and allows you to sign in as anybody it finds. This is a trivial hack, and anybody with an understanding of wireless networks and how session cookies work can figure it out - and it's fairly easy to explain to anybody who doesn't have an understanding of them.

I dug a bit into their code, they have easy access to these sites:
- Amazon (which saves your credit card info, so they could potentially buy stuff on your card)
- DropBox (lots of people use this one to backup files, this would give you access to all their stuff)
- Facebook
- Github
- Google (fortunately Gmail has an option to always use https)
- Live (aka Hotmail)
- Twitter
- and many more!

So long story short, remember that if you're using your laptop on a public network you should be using https:// and not http://.

This reminds me of a program I found that is kinda neat called STunnel. This program creates a tunnel using SSL to any server that supports an SSL connection. So if you have a program that can't use SSL for whatever reason, you can just connect it to the STunnel service on your local machine and have it forward, encrypted, to wherever you are trying to connect.

No comments: