Re: Firesheep protection?

[Jeffrey Walton <noloader () gmail com>]

On Tue, Nov 2, 2010 at 4:37 PM, Robert Graham
<robert_david_graham () yahoo com> wrote:
> Force-TLS doesn't work, as I document here:
> http://erratasec.blogspot.com/2010/10/re-firesheep.html
It appears the developers have documented some of the plugin's
technical limitations at
https://addons.mozilla.org/en-US/firefox/addon/12714/. Is this
supposed to be original research?

> I suggest people actually try them out before recommending them.
Hmm.... According to your closing comments, it fails under some
circumstances (XmlHttp), which appears to be documented  by the
developers. Is it fair to pounce on Rob, grandpa of Ryan, Trevor,
Devon & Hannah with "it does not work.... read <some blog>"?

Out of curiosity, did you inform Collin Jackson and Adam Barth, or are
you waiting for the developers to find <some blog>, much like MustLive
and his 0-day XSS vulnerabilities?

Jeff

> ----- Original Message ----
> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
> To: funsec () linuxbox org
> Sent: Tue, November 2, 2010 4:07:16 PM
> Subject: [funsec] Firesheep protection?
>
> Working towards some protection (not just against Firesheep, but the real
> problem), anyone have comparative advice on the useability/effectiveness of:
>
> HTTPS Everywhere
> https://addons.mozilla.org/en-US/firefox/addon/229918/
> also at https://www.eff.org/https-everywhere
>
> Open Secure
> https://addons.mozilla.org/en-US/firefox/addon/11358/
> also at http://opensecext.blogspot.com
>
> Force-TLS
> https://addons.mozilla.org/en-US/firefox/addon/12714/
> also at http://forcetls.sidstamm.com/
>
> or any other recommendations?
>
> [SNIP]
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.