SSL, The Elephant In The Room

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

SSL, The Elephant In The Room

Post by thetan on Sun Oct 24, 2010 8:58 pm
([msg=48050]see SSL, The Elephant In The Room[/msg])

http://codebutler.com/firesheep

http://github.com/codebutler/firesheep

I've been nagging about the importance of end to end encryption for seemingly ages now. Thank god for people like this highlighting the importance.

Install this firefox addon, connect to an unencrypted WAP, and let the session hijacking begin
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by Goatboy on Sun Oct 24, 2010 11:25 pm
([msg=48057]see Re: SSL, The Elephant In The Room[/msg])

Doesn't really work well, but it's a very early release so I can understand. My results:

Attacker comp: Desktop running Windows Vista, using a fairly generic Buffalo USB wireless card (no promisc)
Victim comp: Laptop running Ubuntu 10.04, using built-in wireless card (no promisc)

Test 1: Start capture on Attacker, visit Facebook on Victim. Both machines contained cookie data from my personal FB.
Result: N/A (Unable to tell if it worked, derp)

Test 2: Start capture on Attacker, visit dummy Facebook on Victim. Attacker has my personal FB cookies, Victim should now have dummy FB cookies.
Result: Fail. Unable to gain access on Attacker comp.

Test 3: All FB cookies on both computers have been erased. Start capture on Attacker, log in to Facebook as Victim on dummy account.
Result: Fail. Unable to gain access on Attacker comp.

Test 4: All cookies erased on both machines. Both have been restarted, and individually connected to the network. Attacker has Firefox open on blank tab, Victim opens Firefox and logs into dummy FB account.
Result: Fail. Unable to gain access on Attacker comp.



Although these tests are far from scientific, I think they are somewhat revealing. I'd like to see other people post their results as well, perhaps with a bit more scrutiny as to the scientific method. I also tried Tests 1 and 2 with a higher-end Alfa wireless card (promisc, packet injection, etc) and it still did not work. I made sure to select the correct driver to use before each test, and even tried a few that shouldn't work, just for the hell of it.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2822
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by thetan on Mon Oct 25, 2010 3:36 pm
([msg=48090]see Re: SSL, The Elephant In The Room[/msg])

Worked fine for me at work on my laptop :-/
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by Goatboy on Mon Oct 25, 2010 3:40 pm
([msg=48091]see Re: SSL, The Elephant In The Room[/msg])

That's because you are God encased in a mortal shell.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2822
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by thetan on Tue Oct 26, 2010 4:30 pm
([msg=48156]see Re: SSL, The Elephant In The Room[/msg])

And in the wake of firesheep comes yet another similar system

This time it's called "idiocy"

http://jonty.co.uk/idiocy
http://github.com/jonty/idiocy
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by tgoe on Tue Oct 26, 2010 10:59 pm
([msg=48185]see Re: SSL, The Elephant In The Room[/msg])

zomg, idiocy should be renamed juicy.
User avatar
tgoe
Contributor
Contributor
 
Posts: 650
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by Goatboy on Tue Oct 26, 2010 11:09 pm
([msg=48186]see Re: SSL, The Elephant In The Room[/msg])

tgoe wrote:zomg, idiocy should be renamed juicy.

wat
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2822
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by sanddbox on Tue Oct 26, 2010 11:21 pm
([msg=48187]see Re: SSL, The Elephant In The Room[/msg])

wat
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by tgoe on Tue Oct 26, 2010 11:44 pm
([msg=48188]see Re: SSL, The Elephant In The Room[/msg])

lol I officially resign from my post.
User avatar
tgoe
Contributor
Contributor
 
Posts: 650
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: SSL, The Elephant In The Room

Post by thetan on Thu Oct 28, 2010 2:20 pm
([msg=48264]see Re: SSL, The Elephant In The Room[/msg])

tgoe wrote:lol I officially resign from my post.

I believe this only furthers the confusion.
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Next

Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests