Discussion in 'privacy problems' started by vasa1, Oct 25, 2010.
How To Protect Your Login Information From Firesheep by Alexia Tsotsis.
Mozilla: No 'kill switch' for Firesheep add-on by Gregg Keizer.
Any one can advise on this issue. Suppose I share my DSL router with five other users, wired and wireless. Does this mean that they can grab my credentials via firesheep?
It looks like the FireSheep add-on currently (last I checked was yesterday) only installs on Windows and Macs - not yet Linux per notice on author's website.
Everything says open Wi-Fi, but, what if all machines including the one with Firesheep are inside of a WPA2 network? Does it work in that situation? I don't have any time test myself.
Edit: Actually I tried to test it and it gives a list of interface options, and my wireless adapter does not show. As it lists wired connections I would have to assume this will work on unswitched wired networks? Therefore if I had to guess it would work on any network where the Firesheep user was already inside though I am unable to test. My concern is that someone here at work will use this. I may need to turn off the wireless and plug into the gigabit switch on my desk.
Fight Firesheep with FireShepherd
Using Firesheep may be illegal!
Edit: This link now just points to the main page of downloadsquad.com.
And yet Mozilla has officially stated they won't be removing the add-on from their site.
Mozilla isn't responsible for how we use it. Removing it would just drive it underground. I installed it at work to see if it was a valid threat for us. I determined it was not. Then I removed it. That usage should not be illegal and I am not stupid enough to connect to an open wireless network. So the only cases where it is really a problem is for it to be used be people that are going to find one way or another to do what this accomplishes anyway.
The not being responsible for how it's used argument is used for many things, yet, when the s**t hits the fan, the argument never works. To many people, knowingly hosting such an add-on is damning enough. Do I necessarily agree that Mozilla is endorsing hackers now? Of course not. But, I do think it should be removed from their official add-on page just as a "CYA". It's a better PR move to toss it out than to keep it and let the news stories pile up, IMHO, even if the add-on isn't as "evil" as it may be made out to be. Mozilla doesn't need the "Google curse".
Hey guys, i think you should read what Mozilla actually said
The add-on is not hosted by Mozilla, they just stated they won't block it.
That link is no longer valid. The article is gone. All you get now is the Download Squad main page.
Schneier on Security: Firesheep
Wow this is crazy...
Do you have to be connected to a WiFi network for it to work, or can hacks be hooked to a wired network and sniff with it?
Is it legal to use Firesheep at Starbucks? by Gregg Keizer.
Yes, this vulnerability doesn't affect only wireless networks. This can be exploited on wired networks via a technique known as ARP Spoofing.
It's not just OPEN wireless networks. Although it is slightly more difficult to exploit on networks using WPA2 due to the use of TKIP, if the attacker has access to the network they can use a technique known as ARP Spoofing to sniff your traffic.
Yep, wired networks are vulnerable! You can read more about it at my post here: Misconceptions about Firesheep
And they would only require FireSheep..?
Thanks. Nice article by you.
Microsoft responds to Firesheep cookie-jacking tool
Even Forced SSL is broken for some sites.
One of the comments there is from the author of NoScript:
Re: Firesheep! Microsoft will fix Hotmail/Windows Live with full SSL this month.
In a reaction to George Ou, writer of a couple of articles on Firesheep for Digital Society, Microsoft has stated that it will offer full SSL for Hotmail/Windows Live this month;
'In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits.' link
Facebook has stated that they 'hope to provide it as an option in the coming months'. link
Firesheep seems to achieve (partially) what it was made for; by pressuring/'naming and shaming' companies, forcing them to start offering full ssl to their customers.
Time for Yahoo! to get their finger out!
Separate names with a comma.