This is Bugmenot5's Typepad Profile.
Join Typepad and start following Bugmenot5's activity
Join Now!
Already a member? Sign In
Recent Activity
>a single cookie will only ever be sent to a single domain, at most, >and cannot be used to impersonate your identity on other websites. While that is technical true, most people don't understand how serious the lack of SSL is: If I'm in such an open wifi (without you using VPN), I just have to intercept ANY http page you access and on the fly add some img-Tags into the unencrypted, unprotected html you download. That way I can make your browser send me many more cookies! And another big big problem: Did you notice how IE sometimes warns you that secure and insecure traffic is mixed? Mostly because of horrible ad netwoks? The attacker just has to modify that js that is loaded insecurely into a secure page and insert some javascript to steal the cookies and send them to me using GET-requests! BTW: How about me offering you a cable with internet in my company and me saving all your network traffic and passwords to your extranet? ALWAYS use VPN!
Toggle Commented Nov 15, 2010 on Breaking the Web's Cookie Jar at Coding Horror
> if you must go wireless, seek out encrypted wireless networks. Is this enough? I'm quite sure that with WEP or WPA or WPA2 without Radius-servers etc., where everyone uses a common password that is the same for every user, this does not help: If someone knows that password and is inside the encrypted wireless network, he should be able to run Firesheep and capture the traffic of everyone else in the same network. The only solution for using public wifi is to always use a VPN of a trusted entity, e.g. your company. Of course it must be setup to send all web surfing over the vpn
Toggle Commented Nov 14, 2010 on Breaking the Web's Cookie Jar at Coding Horror
Bugmenot5 is now following The Typepad Team
Nov 13, 2010