sslstrip

What is Firesheep?

You may remember about 4 years ago Eric Butler released a Firefox extension that did something very clever.  It hooked into a packet capture library and could capture cookies that weren’t sent over SSL, at an open Wi-Fi access point.   That extension was Firesheep.  The press grabbed onto this story as it made “hacking” into someone’s Facebook account something almost anyone could do.  At the time, many sites would shuttle you securely over https:// for the login and then give you an authentication cookie that was served insecurely over http://.  This authentication cookie is the thing that proves you are who you say you are so if a bad guy got access to this cookie, they could easily impersonate you on that site.

firesheep
Read Full Article

I was thinking about this question the other day.  It SEEMS obvious…  I relialized that it relates to one of my favourite misconceptions about https or SSL/TLS.  Often people get too focused on the encryption aspect of SSL/TLS and not the authenticity and verification properties of it.  When Google first announced that Google search was going to be over “https” a few years ago I, like a lot of people, assumed that it was because it was to make your search results private.

 

Google’s support page, regarding SSL Search, quite correctly points out:

SSL doesn’t always protect:

  • The fact that you visited google.com
  • The search terms that you typed

     

Read Full Article