Re: Firesheep protection?

[Robert Graham <robert_david_graham () yahoo com>]

> It appears the developers have documented some of the plugin's
> technical limitations at
> https://addons.mozilla.org/en-US/firefox/addon/12714/. Is this
> supposed to be original research?

What?

People recommended Force-TLS as protection against sidejacking. I tried it. It 
failed. I wouldn't call this "research", nor would I call it a particularly 
original idea. Although, I would call it "original" from the perspective that it 
was me who did it, as oppose to reporting on what others had done.

> Hmm.... According to your closing comments, it fails under some
> circumstances (XmlHttp)

What? It failed under all circumstances to prevent sidejacking of Twitter.

> Is it fair to pounce on Rob, grandpa of Ryan, Trevor,
> Devon & Hannah with "it does not work.... read <some blog>"?

Oops, I misunderstood his post. I thought he was recommending them, not asking 
about them. I apologize.

> Out of curiosity, did you inform Collin Jackson and Adam Barth, or are
> you waiting for the developers to find <some blog>, much like MustLive
> and his 0-day XSS vulnerabilities?

What? I didn't know that Force-TLS was designed to protect against this problem. 
It doesn't sounds like it from the description.



      
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.