Re: Let's talk about HTTPS Everywhere

To: debian-user@lists.debian.org
Subject: Re: Let's talk about HTTPS Everywhere
From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
Date: Wed, 19 Jan 2011 18:07:36 +0100
Message-id: <[🔎] 4D371A58.9060804@googlemail.com>
In-reply-to: <[🔎] pan.2011.01.19.16.46.10@gmail.com>
References: <20110119145359.543EE13A6437@liszt.debian.org> <[🔎] 201101191053.50768.Howland@priss.com> <[🔎] pan.2011.01.19.16.46.10@gmail.com>

On the 19/01/2011 17:46, Camaleón wrote:
> On Wed, 19 Jan 2011 10:53:50 -0500, Curt Howland wrote:
> 
>> On Wednesday 19 January 2011, Camaleón was heard to
>> say:
> 
>>> Data stored in cookies is not what I understand for "sensitive". What
>>> kind of information do you think are cookies managing?
>>
>> Maybe this would be enlightening:
>>
>> http://codebutler.com/firesheep
>>
>> FTA:
>> "It's extremely common for websites to protect your password by
>> encrypting the initial login, but surprisingly uncommon for websites to
>> encrypt everything else. This leaves the cookie (and the user)
>> vulnerable. HTTP session hijacking (sometimes called "sidejacking") is
>> when an attacker gets a hold of a user's cookie, allowing them to do
>> anything the user can do on a particular website. On an open wireless
>> network, cookies are basically shouted through the air, making these
>> attacks extremely easy."
> 
> Maybe I have not expressed myself properly.
> 
> Any data passing through an unencrypted channel is vulnerable to be 
> fetched and reviewed by anyone and we all know that.
> 
> My point here is that I don't mind about _that kind of data_ to be 
> disclosed because is public and easily gathered by other means (anyone 
> reading my e-mail headers can see my IP address and/or e-mail client) and 
> tracking cookies (session cookies) do not contain sensible information 
> (by "sensible information" I mean passwords or username logins for 
> gaining access to online services, like banking, shopping or such).
> 
> In brief:
> 
> - Does the cookie contain sensitive/private information? → set/get the 
> cookie using ssl
> 
> - Does the cookie contain standard/publicly available information → no 
> need to be encrypted
> 
> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using 
> clear text passwords.
> 
> Greetings,
> 

It is not only the data enclosed inside the cookie which are at risk
here, but the entire session on the website you are logged in. Say you
log into your "friendface" account, and someone near your catch your
unencrypted session cookie, then he is YOU on YOUR "friendface" account...

Enjoy.

Reply to:

Follow-Ups:
- Re: Let's talk about HTTPS Everywhere
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Camaleón <noelamac@gmail.com>

References:
- Re: Let's talk about HTTPS Everywhere
  - From: Curt Howland <Howland@priss.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: Let's talk about HTTPS Everywhere
Next by Date: X: set resolution in Squeeze on a Macbook
Previous by thread: Re: Let's talk about HTTPS Everywhere
Next by thread: Re: Let's talk about HTTPS Everywhere
Index(es):
- Date
- Thread