On Thu, Nov 4, 2010 at 1:17 PM, Michael Torrie <[email protected]> wrote: > On 11/04/2010 01:09 PM, Charles Curley wrote: >> I haven't seen any discussion of FireSheep here. >> >> http://www.charlescurley.com/blog/archives/2010/11/04/bringing_in_the_sheep/index.html >> > > Interesting. How is it that facebook credentials are being sent in the > clear? Or is this just a matter of hijacking a non-SSL session?
Firesheep doesn't hijack credentials. Only the session. It exploits a common hole in most websites that use SSL for login, but go in the clear for everything else. Firesheep makes it super trivial to find a session running in the clear, grab their session cookie(s), and give you full access to their account for the duration of the session. As Charles pointed out in his blog, simply using SSL for the entire session completely negates this vulnerability, and he mentions great extensions that make this really easy. --lonnie /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
