A reminder about HTTPS

2011-06-02 02:42:06

#1

Kmar: Truth is my Bitch; +5,695|6857|132 and Bush

Fairly obvious really, but you never know. Make sure you are using HTTPS where available. There is a new app for Android which makes it very easy to hack into someone Facebook, Twitter, and other accounts. HTTPS is off by default on Facebook and Twitter. So if you haven't turned it on it's not on.

https://static.bf2s.com/files/user/15901/1.jpg

Via Engadget

Remember Firesheep? Well, the cookie snatching Firefox extension now has a more portable cousin called FaceNiff. This Android app listens in on WiFi networks (even ones encrypted with WEP, WPA, or WPA2) and lets you hop on to the accounts of anyone sharing the wireless connection with you. Right now it works with Facebook, Twitter, YouTube, and Nasza-Klasa (a Polish Facebook clone), but developer Bartosz Ponurkiewicz promises more are coming. You'll need to be rooted to run FaceNiff -- luckily, we had such a device laying around and gave the tap-to-hack app a try.

Within 30 seconds it identified the Facebook account we had open on our laptop and had us posting updates from the phone. At least with Firesheep you had to sit down and open up a laptop, now you can hijack Twitter profiles as you stroll by Starbucks and it'll just look like you're sending a text message (but you wouldn't do that... would you?).

If you still haven’t switched to HTTPS connection on all your favorite web services which support it (both Facebook and Twitter have the option), we recommend you do so right now.

Besides Facebook and Twitter, the latest version of FaceNiff also works with YouTube, Amazon and Polish social network Nasza-Klasa.

Enabling HTTPS for Facebook.

Enabling HTTPS for Twitter.

Xbone Stormsurgezz

2011-06-02 03:01:14

#2

tazz.: oz.; +1,338|6430|Sydney | ♥

https://facebook.com

Then click make it default.

^{everything i write is a ramble and should not be taken seriously.... _{seriously. ♥}}

2011-06-02 03:14:31

#3

Kmar: Truth is my Bitch; +5,695|6857|132 and Bush

I tried that with twitter, and it wont let me un-select https and save. It says it saves my settings without it, and when it refreshes it is still checked. At least it is saving it the way I want.

Xbone Stormsurgezz

2011-06-02 03:19:39

#4

Zimmer: Un Moderador; +1,688|7012|Scotland

That is awesome. Must try it sometime.

2011-06-02 03:32:47

#5

Kmar: Truth is my Bitch; +5,695|6857|132 and Bush

lol.. you know there are some people you can tell this to 100xs over and they still wont do it.

Xbone Stormsurgezz

2011-06-02 04:10:00

#6

tazz.: oz.; +1,338|6430|Sydney | ♥

https://www.eff.org/https-everywhere

just casually.

^{everything i write is a ramble and should not be taken seriously.... _{seriously. ♥}}

2011-06-02 04:59:27

#7

Kmar: Truth is my Bitch; +5,695|6857|132 and Bush

Pretty sure that if places like starbucks just had proper password protection it would solve most of this. Even if they put the password up on a billboard in the shop. It would make secured connections.

Xbone Stormsurgezz

2011-06-02 09:16:34

#8

Ilocano: buuuurrrrrrppppp.......; +341|6923

Now, if the biggest online retailer would just do this...

2011-06-02 11:37:25

#9

Zimmer: Un Moderador; +1,688|7012|Scotland

Ilocano wrote:
Now, if the biggest online retailer would just do this...

Amazon?

2011-06-02 11:44:58

#10

Ilocano: buuuurrrrrrppppp.......; +341|6923

Yeah. Your cart isn't https by default or via icon. I have over 500 items in my cart to track price changes.

And I don't think the cookies ever expire. So, if you ever forget to "not me" or delete cookies on a particular PC, your cart is on that PC until some other account logs in.

2011-06-02 12:27:59

#11

Zimmer: Un Moderador; +1,688|7012|Scotland

Ilocano wrote:
Yeah. Your cart isn't https by default or via icon. I have over 500 items in my cart to track price changes.

And I don't think the cookies ever expire. So, if you ever forget to "not me" or delete cookies on a particular PC, your cart is on that PC until some other account logs in.

No, that's wrong. Cookies by default expire on Amazon, the cookie acknowledging that it may be you is still there which stupidly show you as signed in... but when you go to to Orders and VIEW MY ORDERS and stuff, it asks for a sign in. Try it out for yourself.

Your cart isn't HTTPS, but everything after that step is. Not sure what advantage someone would get of seeing your cart other than annoying you and deleting items from it.

2011-06-02 12:36:34

#12

Ilocano: buuuurrrrrrppppp.......; +341|6923

Zimmer wrote:
Ilocano wrote:
Yeah. Your cart isn't https by default or via icon. I have over 500 items in my cart to track price changes.

And I don't think the cookies ever expire. So, if you ever forget to "not me" or delete cookies on a particular PC, your cart is on that PC until some other account logs in.
No, that's wrong. Cookies by default expire on Amazon, the cookie acknowledging that it may be you is still there which stupidly show you as signed in... but when you go to to Orders and VIEW MY ORDERS and stuff, it asks for a sign in. Try it out for yourself.

Your cart isn't HTTPS, but everything after that step is. Not sure what advantage someone would get of seeing your cart other than annoying you and deleting items from it.

Yes, when actually ordering. But when you've got over 500 items in your cart, and you use changes to it to help track price changes, some rogue going in and adding/deleting to it is more than annoying.

Yes, I buy a ton at Amazon. And for somehow to play havok on my cart would be a serious issue for me.

2011-06-03 03:41:21

#13

Kmar: Truth is my Bitch; +5,695|6857|132 and Bush

oh yea, and if you are using a web-client verify..

Xbone Stormsurgezz

BF2S Forums A reminder about HTTPS

Ilocano wrote:

Ilocano wrote:

Zimmer wrote:

Ilocano wrote:

Board footer