Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Protect Against Firesheep Attacks

Posted by CmdrTaco on from the oh-that-helps-sure dept.

Monday we mentioned Firesheep, a plug-in that trivializes ID spoofing on social networks. Since then various security researches have come out to suggest How to Protect Yourself against Firesheep Attacks (submitted by Batblue). Of course the advice is pretty obvious: Don't use free Wi-Fi, use SSL, or a VPN. It seems to me that the big sites should start by redirecting all non-SSL traffic to https automatically. If you want to be insecure, you'd have to explicitly state that you can't encrypt for some reason.

6 of 208 comments (clear)

  1. Re:how about by rakuen · · Score: 3, Informative

    Guess you're going to have to quit /. because we're using vanilla http at the moment as well.

  2. Myopic view of how browsers treat SSL by kamelkev · · Score: 4, Informative

    The idea that "It seems to me that the big sites should start by redirecting all non-ssl traffic to https automatically" is very shortsighted when you consider how social networking sites actually work.

    Social networks by their very nature include cross posting of content found from around the internet. If a site is running in "SSL only" mode then you'd very quickly see intermixed SSL and non-SSL content living side by side, and this creates a disaster for the admins of any web service.

    For those who aren't familiar, modern web browsers throw up warnings whenever you intermix SSL and non-SSL content - it's been this way for years, it's a problem for anyone who accepts user generated content cross-site content.

    If someone like Facebook were to implement this policy they'd immediately get a flood of complaints about these warnings.

    SSL isn't very good protection nowdays anyway - we need something better.

  3. Re:Let's just encrypt everything all the time by bunratty · · Score: 4, Informative

    I read that when Google switched Gmail over to HTTPS that their server load increased by 1%. Today's CPUs are blazingly fast. Why would you think that the server load would be an issue with encryption and decrypting all communication? A web site is largely about having a large enough Internet connection and a large and fast enough database to keep up with the Internet traffic. Those CPUs are mostly just sitting around twiddling their thumbs waiting for I/O.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  4. Re:Let's just encrypt everything all the time by RedACE7500 · · Score: 3, Informative

    Just terminate the SSL at your load balancer. This also allows you to offload the SSL work to a machine(s) dedicated to do so and keep that work off your web servers.

  5. Re:That's Expensive by goofy183 · · Score: 3, Informative

    You can tell a browser to cache things provided over SSL by setting the cache-control and expires headers appropriately as well as making use of etags and 304 responses. Its not hard and with good use of etags you can reduce a LOT of both network and application work.

  6. Re:Let's just encrypt everything all the time by dgatwood · · Score: 3, Informative

    Akamai works just fine with SSL. Akamai is not a transparent cache, but rather an explicit push cache in which a web administrator chooses content to host on Akamai, pushes the content to their servers, and modifies local content to point to the Akamai copy when it has been fully staged. Akamai has supported SSL for almost a decade now.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.