On Wed, 19 Jan 2011 10:53:50 -0500, Curt Howland wrote: > On Wednesday 19 January 2011, Camaleón was heard to > say:
>> Data stored in cookies is not what I understand for "sensitive". What >> kind of information do you think are cookies managing? > > Maybe this would be enlightening: > > http://codebutler.com/firesheep > > FTA: > "It's extremely common for websites to protect your password by > encrypting the initial login, but surprisingly uncommon for websites to > encrypt everything else. This leaves the cookie (and the user) > vulnerable. HTTP session hijacking (sometimes called "sidejacking") is > when an attacker gets a hold of a user's cookie, allowing them to do > anything the user can do on a particular website. On an open wireless > network, cookies are basically shouted through the air, making these > attacks extremely easy." Maybe I have not expressed myself properly. Any data passing through an unencrypted channel is vulnerable to be fetched and reviewed by anyone and we all know that. My point here is that I don't mind about _that kind of data_ to be disclosed because is public and easily gathered by other means (anyone reading my e-mail headers can see my IP address and/or e-mail client) and tracking cookies (session cookies) do not contain sensible information (by "sensible information" I mean passwords or username logins for gaining access to online services, like banking, shopping or such). In brief: - Does the cookie contain sensitive/private information? → set/get the cookie using ssl - Does the cookie contain standard/publicly available information → no need to be encrypted What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using clear text passwords. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.19.16.46...@gmail.com
