Bringing in the Sheep: the FireSheep firestorm

Lonnie Olson lists at kittypee.com
Thu Nov 4 13:24:24 MDT 2010


On Thu, Nov 4, 2010 at 1:17 PM, Michael Torrie <torriem at gmail.com> wrote:
> On 11/04/2010 01:09 PM, Charles Curley wrote:
>> I haven't seen any discussion of FireSheep here.
>>
>> http://www.charlescurley.com/blog/archives/2010/11/04/bringing_in_the_sheep/index.html
>>
>
> Interesting.   How is it that facebook credentials are being sent in the
> clear?  Or is this just a matter of hijacking a non-SSL session?

Firesheep doesn't hijack credentials.  Only the session.  It exploits
a common hole in most websites that use SSL for login, but go in the
clear for everything else.

Firesheep makes it super trivial to find a session running in the
clear, grab their session cookie(s), and give you full access to their
account for the duration of the session.

As Charles pointed out in his blog, simply using SSL for the entire
session completely negates this vulnerability, and he mentions great
extensions that make this really easy.

--lonnie


More information about the PLUG mailing list