Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Electronic Frontier Foundation Encryption Privacy Security The Internet Wireless Networking Your Rights Online

How To Protect Against Firesheep Attacks 208

Posted by CmdrTaco from the oh-that-helps-sure dept.
Monday we mentioned Firesheep, a plug-in that trivializes ID spoofing on social networks. Since then various security researches have come out to suggest How to Protect Yourself against Firesheep Attacks (submitted by Batblue). Of course the advice is pretty obvious: Don't use free Wi-Fi, use SSL, or a VPN. It seems to me that the big sites should start by redirecting all non-SSL traffic to https automatically. If you want to be insecure, you'd have to explicitly state that you can't encrypt for some reason.
This discussion has been archived. No new comments can be posted.

How To Protect Against Firesheep Attacks More

How To Protect Against Firesheep Attacks

Comments Filter:

  • Re:That's Expensive (Score:4, Interesting)

    by IAmGarethAdams ( 990037 ) on Wednesday October 27, 2010 @01:52PM (#34040060)

    Not necessarily true, Google have a solution [imperialviolet.org] which means that

    SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead

  • Put SSL accelerator appliances in front of the webservers, use dedicated hardware which is designed to handle ssl.

  • Re:That's Expensive (Score:4, Interesting)

    by gad_zuki! ( 70830 ) on Wednesday October 27, 2010 @02:36PM (#34040628)

    The difference here is that gmail and facebook are two very different applications. Facebook relies on a lot of client-side caching (html pages, photos, graphics, flash objects, etc) while gmail is mostly dynamic and does a lot of heavy lifting on the client side. With SSL enabled the clients won't cache anything and mixing http and https objects throws a security error on one or more of the major browsers. I'm sure Facebook can force SSL but end users won't like the diminished performance and if Facebook mixes items then end users will complain or freak out when their browser warns them about it.

    I think the browser makers need to address this. I don't see why we shouldn't cache SSL items. They can simply be cached in an encrypted volume using the SSL key. That's probably less of a performance hit than going back on the network and re-requesting all those objects.

  • Use a switched network (Score:3, Interesting)

    by KevMar ( 471257 ) on Wednesday October 27, 2010 @03:51PM (#34041572) Homepage Journal

    Use a switched network ....

    This is a packet sniffer. If you are on a switched network, the degree of difficulty to pull this off is much greater. it is not a solution because of other tricks like arp poisoning.

    This is nothing new, but it is good publicity to remind people how important SSL is. This addon did not change anything except now more script kiddies have access to another tool.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close