More danger lurking for WebUsers

[RealBlackStuff]

Firesheep has made it possible for any moron to raid your Web use, but there are ways you can stop it.
Here are a few of them.

[ThinkRob]

Sadly, not on this forum, since it doesn't support SSL.

Is there anything that can be done about that?

[Woodenspoon]

yea exactly, this site like many more, can no longer be used on open or wep wifi:(

[Harryc]

It's been discussed amongst the staff and the consensus is that SSL is a dog and it would slow down the site. In addition to this most other forums do not run SSL for that very reason. Also, if a member gets a forum password lifted and it is discovered that someone else is using it, just ask an Admin to reset it, end of story. It's not the end of the world. Oh, and Chicken Little, the sky is not falling. (Insert any other cute but obnoxious saying here)

[ThinkRob]

It's been discussed amongst the staff and the consensus is that SSL is a dog and it would slow down the site. In addition to this most other forums do not run SSL for that very reason.

I'm not sure that the consensus reached was correct.

According to one of Google's engineers:

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

I think that's pretty clear.

[Harryc]

I think that's pretty clear.

The site owner says no SSL, and he pays the bills. I think that's pretty clear as well.

[ThinkRob]

The site owner says no SSL, and he pays the bills. I think that's pretty clear as well.

Fair enough.

It's no problem for me, as I *never* re-use passwords, and since everything we post is public there's probably not much harm even if the traffic were to be intercepted.

[ajkula66]

Woodenspoon wrote:

yea exactly, this site like many more, can no longer be used on open or wep wifi:(

Don't know about the "open" but it can most certainly be used with WEP. Doing it right now.

[mediasponge]

Firesheep is a problem on OPEN WiFi sites, like Starbucks. As long as you are using some flavor of WEP/WPA/WPA2/ etc. you are probably pretty safe at home. You can also set your router not to broadcast the SSID. That means all your home wireless devices need to have the SSID and security info entered manually, but that is minimal effort. Most systems outside your house won't even see your WAP because the SSID broadcast is silent. This could turn into a market killer for public WiFi, though.

OTOH, some coffee shops are starting to buck the trend of having unlimited WiFi, because people will sit there for hours nursing one cup of coffee just to use the WiFi. They are either turning it off, or setting limits on it. There's a particular coffee shop in Palo Alto I used to go to that was impossible to get a table in because of all the parked laptops.

[ThinkRob]

As long as you are using some flavor of WEP/WPA/WPA2/ etc. you are probably pretty safe at home. You can also set your router not to broadcast the SSID. That means all your home wireless devices need to have the SSID and security info entered manually, but that is minimal effort. Most systems outside your house won't even see your WAP because the SSID broadcast is silent.

Two things:

1) WEP is so fundamentally weak that it's trivial to break. It's right up there with wet cardboard wrapped around your AP in terms of how much protection it affords your network. WPA2+AES is the only real way to do wireless security.

2) "Hidden" SSIDs are not a security measure. It's easy to find so-called "hidden" networks, and every piece of stumbling/wardriving software that I've ever come across will do so automatically. There's no reason to do this, as it causes problems with a number of devices yet provides no protection whatsoever.