Re: A Wolf In Sheep's Clothing - New Threat

Facebook and Twitter fail basic security test
http://news.yahoo.com/s/digitaltrend...icsecuritytest

from above:

Riding off of the coattails of the FireSheep Firefox exploit, Digital
Society has studied the basic security functions of 11 popular
websites and given them grades. The results are not stellar for most,
especially social networking sites Twitter and Facebook, which both
received failing grades.

.... snip ...

Long ago and far away we were called in to consult with small
client/server startup that wanted to do payment transactions on their
server; they had also invented this technology called "SSL" they wanted
to use; the result is now frequently called "electronic commerce". Part
of the effort was study regarding security requirements for SSL
deployment and use. Almost immediately the security requirements were
violated because webservers found SSL cut their thruput 90-95%, dropping
back to just using it for paying/checkout

--
virtualization experience starting Jan1968, online at home since Mar1970

"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:m3hbfqb8t0.fsf@garlic.com...
>
> Facebook and Twitter fail basic security test
> http://news.yahoo.com/s/digitaltrend...icsecuritytest
>
> from above:
>
> Riding off of the coattails of the FireSheep Firefox exploit, Digital
> Society has studied the basic security functions of 11 popular
> websites and given them grades. The results are not stellar for most,
> especially social networking sites Twitter and Facebook, which both
> received failing grades.
>
> ... snip ...
>
> Long ago and far away we were called in to consult with small
> client/server startup that wanted to do payment transactions on their
> server; they had also invented this technology called "SSL" they wanted
> to use; the result is now frequently called "electronic commerce". Part
> of the effort was study regarding security requirements for SSL
> deployment and use. Almost immediately the security requirements were
> violated because webservers found SSL cut their thruput 90-95%, dropping
> back to just using it for paying/checkout

Reading around on the net, I see recommendations for transport layer
security as having some effect against this attack - I don't see how, if
this really is about a cookie *file* on a computer on the usecured wireless
network as indicated in the OP's quote. Getting hold of *cookies* in this
sense must not be quite the same as getting hold of *cookie files* stored on
a computer on the affected network - or else SSL/TLS wouldn't have any
effect on it.

"FromTheRafters" <erratic.howard@gmail.com> writes:
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.

cookie capture is evesdropping on open communication channel (during
cookie transfer) ... followed by a "replay attack" of the harvested
cooking ... then encrypting the communication is countermeasure to
evesdropping (as opposed to a trojan running on the victim machine that
harvests the cookie from disk file).

there is separate discussion about cookies being a poor solution

lcamtuf's blog: HTTP cookies, or how not to design protocols
http://lcamtuf.blogspot.com/2010/10/...to-design.html

--
virtualization experience starting Jan1968, online at home since Mar1970

On Tue, 9 Nov 2010 14:57:37 -0500, FromTheRafters wrote:

> "Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
> news:m3hbfqb8t0.fsf@garlic.com...
>>
>> Facebook and Twitter fail basic security test
>> http://news.yahoo.com/s/digitaltrend...icsecuritytest
>>
>> from above:
>>
>> Riding off of the coattails of the FireSheep Firefox exploit, Digital
>> Society has studied the basic security functions of 11 popular
>> websites and given them grades. The results are not stellar for most,
>> especially social networking sites Twitter and Facebook, which both
>> received failing grades.
>>
>> ... snip ...
>>
>> Long ago and far away we were called in to consult with small
>> client/server startup that wanted to do payment transactions on their
>> server; they had also invented this technology called "SSL" they wanted
>> to use; the result is now frequently called "electronic commerce". Part
>> of the effort was study regarding security requirements for SSL
>> deployment and use. Almost immediately the security requirements were
>> violated because webservers found SSL cut their thruput 90-95%, dropping
>> back to just using it for paying/checkout
>
> Reading around on the net, I see recommendations for transport layer
> security as having some effect against this attack - I don't see how, if
> this really is about a cookie *file* on a computer on the usecured wireless
> network as indicated in the OP's quote. Getting hold of *cookies* in this
> sense must not be quite the same as getting hold of *cookie files* stored on
> a computer on the affected network - or else SSL/TLS wouldn't have any
> effect on it.

The Wheelers have addresses the regeneration of info from a cookie but
let's make sure that it is understood that this attack isn't
particularly new

http://www.wallofsheep.com/about/history/

or limited to unsecured wireless networks. Wired networks are as
vulnerable but not as easy to find (sometimes).

The answer is full SSL via HTTPS but as the Wheelers have also pointed
out the speed cost is high hence we have encrypted sessions typically
only where financial info is being transmitted.

IMO the only answer is ToR and with the speed at which ToR operates
these days, it is little price to pay. Think of Tor this way. Imagine
not having anything except ToR for browsing. Speed seems OK now
doesn't it.
--
<http://2.bp.blogspot.com/_WhnvofcHy48/SDxAZbSaqnI/AAAAAAAAADo/Qh2FYauXJMo/s400/RIMG0019-2.JPG>

"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:m3d3qeb5zv.fsf@garlic.com...
>
> "FromTheRafters" <erratic.howard@gmail.com> writes:
>> Reading around on the net, I see recommendations for transport layer
>> security as having some effect against this attack - I don't see how, if
>> this really is about a cookie *file* on a computer on the usecured
>> wireless
>> network as indicated in the OP's quote. Getting hold of *cookies* in this
>> sense must not be quite the same as getting hold of *cookie files* stored
>> on
>> a computer on the affected network - or else SSL/TLS wouldn't have any
>> effect on it.
>
> cookie capture is evesdropping on open communication channel (during
> cookie transfer) ... followed by a "replay attack" of the harvested
> cooking ... then encrypting the communication is countermeasure to
> evesdropping (as opposed to a trojan running on the victim machine that
> harvests the cookie from disk file).

Yes, what I meant was that the quoted article referred to cookie files - and
SSL doesn't deal with files.

> there is separate discussion about cookies being a poor solution
>
> lcamtuf's blog: HTTP cookies, or how not to design protocols
> http://lcamtuf.blogspot.com/2010/10/...to-design.html

I'll have a look, thanks.