[foaf-protocols] At a Cafe? I Can Hack Your Facebook, Twitter, Etc...With a Firefox Extension

Mischa Tuffield mischa.tuffield at garlik.com
Tue Oct 26 12:34:09 CEST 2010


On 26 Oct 2010, at 01:31, Kingsley Idehen wrote:

> On 10/25/10 6:12 PM, Melvin Carvalho wrote:
>> On 25 October 2010 23:45, Kingsley Idehen<kidehen at openlinksw.com>  wrote:
>>> On 10/25/10 3:41 PM, Dan Brickley wrote:
>>>> On Mon, Oct 25, 2010 at 9:21 PM, Melvin Carvalho
>>>> <melvincarvalho at gmail.com>    wrote:
>>>>> Whenever you connect to an unsecured WiFi network, you're taking a
>>>>> chance, but now it's easier than ever for someone to gain access to
>>>>> all of your social network login information. A new Firefox extension
>>>>> called Firesheep makes it simple for anyone to see that you're
>>>>> connected to the network, grab your login information for any number
>>>>> of social networks, and take over your online identity.
>>>>> 
>>>>> Without this, hacking your account over an unsecured wireless network
>>>>> may not be rocket science, but it surely isn't the one-click magic
>>>>> made possible by Firesheep.
>>>>> 
>>>>> http://www.readwriteweb.com/archives/at_a_cafe_i_can_hack_your_facebook_twitterwith_a_f.php

FWIW, might be slightly off topic (apologies if so), but I wrote my I have written up how I go about trying to secure the firefox instance on my laptop : 

http://mmt.me.uk/blog/2010/10/26/https/

Mischa *goes back to lurking, sorry about the shameless plug, good work on WebID stuff, I must get me one ... 

>>>>> 
>>>>> Another issue that WebID solves?
>>>> I don't think WebID solves it; rather, it will boost SSL adoption, and
>>>> that will make WebID a slightly easier sell, by bringing these kinds
>>>> of technology more into mainstream use.
>>> This program showcases a pain in a manner that pretty easy to comprehend.
>>> 
>>> The solution is SSL everywhere. The "Why" part is accentuated by the
>>> scenario-case i.e. starbucks lifestyle.
>> But can a company like, say, facebook afford to switch it's data
>> center servers over to SSL?  Surely the cost we be in the 10s or 100s
>> of millions?
>> 
> 
> Chump change if the perform basic "cost vs benefit" analysis. Absolute 
> chump change.
> 
> Would FB be ready to take out a 100 Million Dollar insurance policy with 
> "not becoming the next MySpace or Friendster" in mind? Of course they 
> would :-)
> 
> The thing about the Web is that things happen so fast, these are truly 
> exponential times.
> 
> Web 2.0 companies all play to the "we listen to our customers mantra..". 
> Well, let's see what happens once a ground swell of users have played 
> with Firesheep. As you know, there will be more Firesheeps along the 
> way. it's in the nature of all programmers to one-up other programmers :-)
> 
> 
> Kingsley
> 
>>>>   It is quite possible to use
>>>> WebID just for login, then drop down to an insecure HTTP/cookies
>>>> mechanism which then gets FireSheep'd.
>>> Not so, if the real moral here to social-networks is: authenticate and
>>> transmit data securely via SSL. That's what you get via WebIDs which
>>> place you into the WebID protocol realm of SSL, by default.
>>> 
>>> Basically, why use WebID for authentication, solely? It also contributes
>>> to authorization using ACLs with all data transmitted over HTTPS.
>>> 
>>> To conclude, WebID protocol and ACLs that leverage it should become the
>>> norm. Folks that continue to undermine the importance of this effort
>>> will ultimately find out the painful way (IMHO). Users are gradually
>>> catching on, and the Web of Linked Data will make the "catching on"
>>> process easier, as it gets denser.
>>> 
>>>>   So I wouldn't present WebID as
>>>> a solution, more as part of a general trend to making better use of
>>>> certs and SSL in mainstream Web sites.
>>> WebID protocol does imply use of HTTPS beyond authentication, at least
>>> in my world view :-) Thus, I see this as a very nice usecase re. WebID
>>> protocol virtues for developers of social networking solutions.
>>> 
>>> I will have my iPad and Notebook in tow when I next visit Starbucks
>>> (never used them in such places until now) :-)
>>> 
>>> Kingsley
>>> 
>>>> cheers,
>>>> 
>>>> Dan
>>>> _______________________________________________
>>>> foaf-protocols mailing list
>>>> foaf-protocols at lists.foaf-project.org
>>>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>>>> 
>>> 
>>> --
>>> 
>>> Regards,
>>> 
>>> Kingsley Idehen
>>> President&    CEO
>>> OpenLink Software
>>> Web: http://www.openlinksw.com
>>> Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca: kidehen
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> foaf-protocols mailing list
>>> foaf-protocols at lists.foaf-project.org
>>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>>> 
> 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	
> President&  CEO
> OpenLink Software
> Web: http://www.openlinksw.com
> Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca: kidehen
> 
> 
> 
> 
> 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

___________________________________
Mischa Tuffield PhD
Email: mischa.tuffield at garlik.com
Homepage - http://mmt.me.uk/
Garlik Limited, 1-3 Halford Road, Richmond, TW10 6AW
+44(0)845 652 2824  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10 9AD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20101026/7580a60c/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 841 bytes
Desc: This is a digitally signed message part
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20101026/7580a60c/attachment.pgp 


More information about the foaf-protocols mailing list