Public wifi insecure - even for secure sites?

-
The Register reports from the Black Hat Conference that even when surfing to an SSL-encrypted site using public wifi, if not all of the site enforces SSL, enough information can be intercepted to reveal Gmail and other personal websites:
The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.

Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.
The Register suggests the Firefox extension CustomiseGoogle which, among other things, can mandate that rather than some Gmail traffic be encrypted, eliminating the information currently sent "in the clear".

Comments

Post a Comment

Popular posts from this blog

What is the virtue of a proportional response?

-
A question posed by Martin Sheen in his TV role as the President of the United States . Israel answered that question, correctly long ago - there is no virtue in meeting an attack on your territory with anything other than overwhelming, punitive force sufficent to dissuade future attacks. While I would oppose many Israeli security policies, in which Islamic state would you have seen the courts override the executive on humanitarian grounds, such as with their decision on the Concrete Curtain? The pullout from Gaza was widely predicted never to happen because Israel wouldn't stand up to its extremists - yet the landgrab settlements there have been removed. The proportional response from Hamas was to kidnap soldiers from the Israeli side of the fence. The proportional response from Hezbollah was to continue firing missiles into northern Israel - the fact that their missiles can reach Israeli soil at all being because (a) Israel complied with the negotiated settlement and pulled o
Read more

"Your request could not be completed. Please try again in a few minutes."

-
When setting automatic replies (Out of Office) via Exchange 2013 OWA on behalf of another user, the message in the title can be displayed when saving the text. If you look at the System Event Log on the Exchange Server, you may see the following event ID 4: Current user: '" (domain)/(OU)/(OU)/(administrator) " on behalf of " (domain)/(OU)/(OU)/(User) "' Request for URL ( long URL follows ) failed with the following error: Microsoft.Exchange.Management.ControlPanel.RegionalSettingsNotConfiguredException: We couldn't process the request because the user ' (domain)/(OU)/(OU)/(User) ' hasn't signed in to Outlook Web App and selected a language and a time zone. Ask the user to do this, or, if you are a member of the built-in Organization Management or Help Desk role group, you can use Window PowerShell to select a language and time zone for them. Cancel the Automatic Replies dialog and switch to Settings, which will display a Time Zone selecti
Read more

Remote Desktop Connection Manager - a boon for admins

-
I subscribe to a bunch of Microsoft blogs and one of them revealed a gem in the past month.  RDCMan, a tool which allows an admin to group together remote desktops, preset their username/password combos and connect to those groups with a right-click option, has been invaluable in my work lately which involves quickly jumping from server to server or from servers to a group of workstations.  The gorgeous thing about it is not merely a gallery of thumbnails of the connected sessions, but the ability to interact with the thumbnails with sufficiently accurate mouse clicks.  Heartily recommended. Here's the original post: Introducing Remote Desktop Connection Manager 2.2 (You had me at EHLO - the Microsoft Exchange Team blog)
Read more