When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today atToorcon 12I announced the release ofFiresheep, a Firefox extension designed to demonstrate just how serious this problem is.
After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you're instantly logged in as them.
That's it.
Firesheepis free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
Reference:
http://codebutler.com/firesheep/
http://www.f-secure.com/weblog/archives/00002055.html
END
相关推荐
ARP协议的安全漏洞及抵御分析 理论上阐释
安全漏洞管理制度,信息系统安全漏洞的发现、评估及处理过程。
Syslog协议有着非常优秀的网络日志管理机制,提供了网络...信息安全方面存在着缺乏数据加密、传输加密与认证等多个漏洞,若不加改进地直接应用可能会导致非常严重的安全问题。 本文将对这些漏洞进行详细的分析与阐述。
一种协议安全漏洞检测方法,苏文杰,温巧燕,随着计算机网络技术的普及和快速发展,许多关键领域越来越依赖网络交换和传输。网络协议是计算机网络的基础,是网络能够正常运行
Web安全漏洞加固手册 V2.0
解决 SSL/TLS协议信息泄露漏洞(CVE-2016-2183) ps1 文件
安全漏洞检测方案
大量带有支付模块的移动 APP 随着移动互联网的发展越来越多,然而,由于开发者缺乏支付安全的知识储备与开发经验,导致大量APP存在或多或少的安全支付漏洞。此外,很多电商网站开发过程中使用了开源代码,存在大量...
网络技术逐渐改变了人们的生产、生活、学习甚至思维方式。...这需要不断总结软件安全漏洞发掘方法,搭建更好的软件安全漏洞检测模型,开发出更好的动静态程序分析的漏洞检测工具,切实提高软件运行的安全性。
安全工作中经常遇见对漏洞的分类,通常见的有主机漏洞操作系统漏洞,中间件漏洞,数据库漏洞,web安全漏洞。然而这些只是约定成俗的分类,并非官方定义或推荐的。本指南针对这一问题介绍了漏洞的分类分级,为日常...
文章介绍了系统安全漏洞的基本概念,漏洞与不同安全级别操作系统之间的关系和环境相关特性与时效性以及安全漏洞与攻击者之间的关系。并通过实例,分析了计算机病毒问题与安全漏洞之间的联系,列举出了常见的安全漏洞...
9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图.pdf9、信息安全漏洞管理流程图....
信息安全技术 网络安全漏洞分类分级指南
在Internet网络快速发展以及越来越多元化的服务之下,计算机网络...文章分析了计算机网络中的安全漏洞,以Web网站安全为例,讨论了浏览器应用程序的安全研究现状,研究了安全漏洞所造成的主要入侵行为及相应的防范措施。
漏洞整改报告
近期服务器开放的https的访问,确被安全组扫描出安全漏洞(OpenSSL TLS 心跳扩展协议包远程信息泄露漏洞 (CVE-2014-0160)),为修复该漏洞,升级OpenSSL到OpenSSL 1.0.1g,同时重新编译升级OpenSSH和nginx,在此提供...
关于HTTP协议禁用不常用方法漏洞的解决方案