Paranoia zum Nachlesen …

… welche tracker uns wo und wie identifizieren; die Technologie ist faszinierend, die Resultate beängstigend!

Software download:


facebook over https is online

loook under my account | settings | security:

facebook security settings


Veröffentlicht in Basics, English, Miscellaneous. Schlagwörter: , . Leave a Comment »

diaspora is https throughout

see and tells me I’ve got ten invites left – any takers?

;-)) Michael

Veröffentlicht in English, Miscellaneous. Schlagwörter: , . Leave a Comment »

facebook over https

Played around on facebook yesterday. You can reach facebook over https, thus encrypting your session cookies and the rest of your traffic. The downside is that facebook does nor stay consistently on https. Some links spit you back to http without encryption. I hope they will fix that soon …

Veröffentlicht in Basics, English, Miscellaneous. Schlagwörter: , . Leave a Comment »

You will be 0wn3d at the next public hotspot

Someone told me, there was an easy way to hack facebook and other accounts at free WiFi-hotspots, because they didn’t encrypt their traffic …
… my first reaction was like „what kind of bs is that?“, but when my contact said, this was the way schoolkids used to deface their classmates facebook accounts I decided to investigate. So here’s the short, simplified version:

  • If you log on to your favorite service on the net, you are sure to use encrypted sign-in pages – at this point everything is fine.
  • As soon as you are logged on, you get a „session cookie“ that identifies you against all of the following non encrypted http-pages. This session cookie is transmitted unencrypted, since you are communicating via http, not https or SSL.
  • A (public) hotspot acts – technically speaking – as a network hub, transmitting all payload traffic to all connected addresses, so theoretically and practically all session cookies are transmitted unencrypted to all devices connected to the public hotspot. The only difference between public and non-public hotspots ist that everybody can use the public hotspot, whereas private WLans try to shut out the bad boys (and girls!) …
  • If you are in possession of such a session cookie, you can impersonate the original owners of said session cookie, i.e. use their account, change passwords, deface profiles – you name it!

See how easy it is with firesheep in a tutorial or on youtube

Or try it yourself: firesheep download for firefox (TM)

This is one of the main reasons security-aware companies like cirosec no longer offer http-webpages – try to change the address of their site from https to http and see what happens …

As long as your favorite portal has not yet implemented this, you should consider using public hotspots with caution or not at all – at least not to access vital personal and sensitive information portals.

If you provide logons using session cookies – who doesn’t – you should consider moving all of your pages to encrypted communication i.e. https!

Veröffentlicht in Basics, English, Miscellaneous. Schlagwörter: . Leave a Comment »
%d Bloggern gefällt das: