Banking sites and other high-security sites typically use https for everything, but most websites do not. However, because https is slower than regular http (because all that encryption takes time), websites often only use the secure https for login, and use insecure http after that. When using SSL, anyone snooping will get gibberish and can't get your userid and password. Web pages usually use https for login pages, which means SSL (Secure Socket Layer) is used to encrypt the data.
This assumes a couple things: first, that a bad guy can't guess the cookie (which would be pretty hard for a long string of random characters), and second, that nobody has stolen your cookie. Every time you load a new page, your browser sends the value back to the website and the website knows that you're the person who logged on. For a login cookie, the website makes up a unique value each time someone logs in and sends it to the browser. Basically, a cookie is a short block of characters. You may be wondering what these mysterious cookies are. By snooping on the Wi-Fi network, Firesheep can grab this cookie, and with the cookie the Firesheep user can hijack your session just as if they are logged in as you. The Firesheep site gives an overview of its operation: after you log into a website, the website gives your browser a cookie. Even if you log in securely over SSL, you're not protected.
He could then start updating your Facebook status and feed for instance. This is rather scary if you're using Wi-Fi in a coffee shop and access one of these sites, the guy in the corner with a laptop could just go click-click and be logged in as you. You may have heard about Firesheep, a new Firefox browser add-on that lets anyone easily snoop over Wi-Fi and hijack your identity for services such as Facebook and Twitter.
0 kommentar(er)
