In <[🔎] pan.2011.01.22.18.58.17@gmail.com>, Camaleón wrote: >On Sat, 22 Jan 2011 15:31:10 -0200, Eduardo M KALINOWSKI wrote: >> That's the same reason I was advocating that people should not leave >> Wi-Fi (even if public) unencrypted. If traffic is unencrypted, it is >> trivial for anyone to capture session IDs flying in plain text through >> the air. If the network is encrypted, then it is much harder to capture >> other people's traffic. (Should be impossible, but there are attacks. >> But things are much more difficult.) > >I agree. Wired networks are not that exposed to these attacks. Not entirely true. On a hubbed network, putting your network card into promiscuous mode will allow you do see other's HTTP traffic and "sidejack" them. Even on a switched network, there may be a way to fool the switch into giving you enough data from the HTTP traffic to preform a "sidejack". WPA2 is still relatively secure. WEP and WPA have known attacks that allow attackers in radio range to effectively "tap" to connection between the client and the AP, in addition to joining the AP as a client. >And I still fail to see why should we encrypt _all_ of our browsing >steps regardless its nature. Not encrypting is fine, if you are willing to expose the entirety of the connection to "tapping" at various locations. Most notably all the switches between you and the destination. However, session cookies (and other authentication tokens) are not generally something you want disclosed with is why end-to-end encryption with some sort of server authentication is recommended for transferring that data. At the end of the day, a server must use *something* in the request itself to associate it with a user. That something must be protected from snooping, so end-to-end encryption is required. Encrypted session cookies are more secure that any of the HTTP Auth mechanisms for use after the initial log in / on. For the initial log in / on, we are already accustomed to using SSL/TLS since it is more widely supported that any of the secure HTTP Auth mechanisms. HTTP Everywhere is meant as a way for users to protect themselves when the servers refuse to for whatever reason. Ideally, servers would take only non- sensitive actions and provide only non-sensitive information over HTTP (and of course, automatically "downgrade" cookies transferred over HTTP to "only for non-sensitive" status), but some server don't actually see that as being in their interest. (E.g. Facebook loses relatively few page views if it discloses too much information about you.) -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.