Firesheep ported to webOS - open WiFi network users shudder 41
Firesheep is a Firefox extension designed as a way to show just how insecure some websites are. You can sit on an open network and 'listen' for passwords to popular sites that don't properly or fully implement HTTPS and SSL. The folks at codebutler want to call attention to poorly coded sites and users who don't think before sending their passwords over open WiFi Networks (and yes, people with less high-minded goals can also use the tool).
PreCentral reader Sebastian has ported the plugin over to webOS. The above video shows Firesheep on the Pre easily hijacking a Gowalla session. The webOS Firesheep app does not show a list of nearby logged in accounts like the Firefox plug in, but in the video it automatically detects the Gowalla log in and takes it over.
The lesson? Ask websites that don't offer secure login to do so. Or use VPN (which, by the by, is built-in to webOS 2.0). Or just keep an eye out for Pre owners at your local Starbucks and pay special attention if one happens to look at you and cackle maniacally.
Source: Youtube; Thanks Sebastian!
41 Comments
first :)
first :)
Your mom must be so proud of you.
You're in first grade! Congrats!
Bad article.
Secure login won't do crap to fix this. It's the session cookie that you are hijacking. That may or may not have credentials in it (idiocy of putting login credentials in a cookie aside). I don't care if I have your login info. I care that I get your session information that identifies you to the site.
What you need is the ENTIRE SESSION TO BE SECURED, NOT JUST THE LOGIN.
If a site relies on identity to protect information, then that session needs to be secured. HTTP, being stateless, requires that you send that session ID with EVERY REQUEST, so just protecting a login DOES NOTHING.
There's really no reason in this day and age to not use https for all websites.
Correct. The article is misleading; you can't steal passwords with FireSheep, only hijack current sessions. Session information and unencrypted cookies transmitted in the clear are what lets it work.
Also, being on an "open" wifi network doesn't matter. The network can have all the encryption you want; all you need is to have a device on the same network for this to work, WPA, WEP, 802.11X etc doesn't matter since the traffic is open to anyone who has the keys and is also on the same network. For it to work successfully, however, the router must allow traffic to a client to be rerouted through another client, which most enterprise-level access points do not.
There is no such thing as 802.11X. What you're thinking of is 802.1X, which handles authenticating a given user and/or device against a central credential repository. In wireless networks, this will (unless badly misconfigured) result in a unique key for each user, rendering Firesheep useless.
However, in general public networks or in cases where pre-shared keys are in use, Firesheep can function to its full potential.
Yes, thanks for the correction. I did mean 802.1X, not 802.11...
You reversed my point. Getting a password is not necessary. Saying to only protect the login screen is stupid and does nothing to protect the session if you switch back to http after authenticating.
??? I was agreeing with you, not reversing anything. Only protecting the login screen and then switching back to http is what many sites do. I never said it was a good idea. However, it is certainly possible to encrypt a cookie without needing to do SSL for the whole connection (which kills performance since it shouldn't be cached).
Been wanting this for a while, nothing nefarious, just wanted to see how secure our campus network access is. Firesheep can be circumvented if everyone connecting is connecting via an encrypted system (think a router with WPA turned on).
How to, pleeeeeease!!!!
Has this actually been released anywhere? Or is it just proof of concept?
http://omoco.de/firesheep/
scary
I don't want to sound mean, but I've had an easier time understanding Donald Duck than what this guy was saying
Dr. Strangelove???
pardon his german accent, but seriously: it was understandable (especially with the vid).
I'm gracious to see webOS enthusiasts contribute from around the world! nice work mate!
bis demn
lol...
I understood him really good - but that may be because I'm German too and maybe speak English as he does :)
You must be an american. Get out of your inbred backyard and try some new culture, yes?
Oh now that was a cold thing to say..
yes, because no one anywhere other than America has trouble understanding someone who speaks with a heavy accent.
Yes. That is correct. All Americans are like that. Especially those like me who live in the Silicon Valley (where Palm is), and especially half korean-half white people like me. Yeah, here we have no other cultures besides "American" (save for Lynbrook High which is 80% Asian, and Saratoga High which is 50% Asian, 35% white, and has numerous foreign exchange students from places such as Korea, Japan, China, Austria, Germany, Slovakia, Spain, and Russia).
In all seriousness, comments like those are extremely offensive, and prove that your just as culturally illiterate as the person you're complaining about. And he said that he didn't intend to be mean.
Sorry for the rant.
"Or just keep an eye out for Pre owners at your local Starbucks...."
HAHAHAHA other pre users?!?!? What a joke! I can count the number of people using pres that ive seen on two hands!
I don't need hands to count them - I've *never* seen people using a Pre! :D
(except in videos and photos in the internet - and me...)
One hand for me.
It was okay initially to feel special. To be smarter. Now, it is just like being the one who bought the Betamax. Sure, at first you tell everyone how great it is and even try and give them a demo. But, in the end you just sort of don't say anything because the world had passed you by on a path that will in the end be better for all. The short-term evolution gains mean nothing if you don't survive, remain competitive, or at least are not relegated to be a fanboy/slave. But, some of you do wear the Dobby WebOS face well.
I wouldn't say Betamax. I would say we have DVD, and the newer phones are blu-ray. DVD is still a very capable format without the glitz and glamour of blu-ray. Pre is still a very capable phone without all the bells and whistles.
My bluray player has more useful apps than the pre
Why would you need apps on your blu-ray player? Just get a PS3 if you wants apps on your blu-ray player...
I was thinking the same thing. I know more people who have returned their Pres than still have one.
5 of my buds used to have Pres. They all have Evos now. I'm the only one now LOL.
...So you're a two hand amputee? Sorry to hear that.
;-)
He's just another loser troll.
Well, VPN may be a bit extreme, but for starters don't browse sensitive info using unencrypted Wi-Fi channels.
Or just stop using Facebook. :P
I vote for not using facebook.. I only go on to read emails or get a hold of someone.. I keep my facebook very bare bones. So if someone hijacked my facebook whoopity doo they would get sooo bored on my page. Lol
bottom line I find it amusing so many people have become internet retarded when it comes to privacy... My rule of thumb "dont do anything on the internet you don't want the world to know about"
just saying.. There is no secure internet..
No one ever said where to get this app, is it actually available, or is this for the guys personal use only?
i'm wondering the same thing. i've never been to a starbucks (not a coffee drinker) but now i want to go and try this thing out :)
Actually wpa/wpa2 will help against firesheep. The wpa/2 protocol only uses the shared key during the handshake with the router/ap, which then generates a unique pairwise key for each client so everyones key is different and can not be unencrypted by other users on the wireless (this is not the case with wep). Now are there ways to circumvent that, yes, but not with firesheep alone.
Really a educative and informative post, the post is good in all regards,I am glad to read this post.
http://www.cellhub.com/black-friday-deals.html
Black Friday Android Deals
Christmas was approaching . Everyone must was looking forward to it and was preparing for it . me too . so im willing to share with you a website http://www.fashionsports.org
free shipping accept the paypal
Quality is our Dignity; Service is our Lift.
Air jordan(1-24)shoes $33
Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35
Handbags(Coach lv fendi d&g) $33
women AF hoody $55
Jean(True Religion,ed hardy,coogi) $34
Sunglasses(Oakey,coach,gucci,Armaini) $16
New era cap $12
Bikini (Ed hardy) $16
Caps Sets $15.
AF shirts Long $25
MEN AF SWEATERS $28
http://www.fashionsports.org
Allowed HTML tags:
Allowed HTML tags: