Comments on: FireSheep: Grey Hat Security?

By: Matt

Matt — Wed, 10 Nov 2010 21:00:18 +0000

In a perfect world, yes. But you wouldn’t need to pay for SSL certificates, then. I agree that it’s better to have SSL, but it’s not necessary feasible for every site at this point.

By: Mike

Mike — Tue, 09 Nov 2010 13:19:31 +0000

I don’t agree with your assertion that SSL shouldn’t be necessary for everything. If somebody performing a MITM can insert scripting on any page of any website, that gives them a platform to initiate CSRF and XSS attacks against other sites. Even sites which might themselves be protected by SSL.

If the web were 100% encrypted, it would be safer to use, your privacy would be more secure from attackers, nosey network admins, ISPs and governments. It would also help with network neutrality.

By: Matt

Matt — Mon, 08 Nov 2010 21:47:52 +0000

Oh, and thanks for the Rapid SSL tip. I’ll have to remember them.

By: Matt

Matt — Mon, 08 Nov 2010 21:45:53 +0000

That doesn’t change the fact that sidejacking wasn’t something that happened to most people. Because it required technical skills and motivation. Building software that puts it in the hands of kids who think it’s “funny” is irresponsible and unnecessary.

I live in an area that isn’t exactly known for its average citizens’ computer skills, which meant that I would never have had to worry about this sort of thing, aside from not logging on to important things on more dubious access points. Now I’ll have to watch what I do at the local library or McDonalds.

I’m not saying SSL isn’t a good idea for larger sites. (Especially high-risk sites like banks or PayPal, which I wouldn’t use if they didn’t have HTTPS…) It just shouldn’t be necessary for everything. There’s not much reason for somebody to hijack a Twitter account, except “for the hell of it.” That wouldn’t have happened before Firesheep.

By: Mike

Mike — Mon, 08 Nov 2010 21:35:34 +0000

Rapid ssl starts at $79 so there are cheaper options and I really don’t think $230 is too much for a startup to risk if they have faith in what they’re doing.

If you needed to admin your blog you could use your hosts certificate and add an exception for the name not matching?

Theres no excuses for companies who are expected to be trusted to not provide adequate security for the protection of users sensitive data.

By: Matt

Matt — Mon, 08 Nov 2010 21:21:06 +0000

Except for smaller websites. Startup companies operating out of a garage don’t need another thing to pay for. Bloggers, like me, can’t afford to pay $230/year for an SSL certificate to protect our admin panels. Et cetera.

It wouldn’t be as big of a deal if you didn’t have to pay a third-party for a certificate. But you do, and it’s not cheap.

By: Mike

Mike — Mon, 08 Nov 2010 12:02:08 +0000

And as a direct result of it becoming easier websites will in time start to force SSL connections solving the problem won’t they?