Main Menu

Firesheep and dMw...

Started by Othbarty, February 15, 2011, 09:24:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Othbarty

February 15, 2011, 09:24:16 PM
Just figured that our forums are not accessible through https. That’s a little concerning imho... Just thinking about last years conundrum around firesheep and https. The fact that it’s that easy to hijack a session, would it be smart to invest in a godaddy.com or equivalent SSL certificate to get our beloved website a little more secure? Or at least give it a serious thought.

Didn't know where else to put it, didn't figure it belonged in the general forums section.

For those of you that haven't heard of firesheep, here is a couple of URLs for you :-)
-=[dMw]=-Othbarty  ::  Mighty Cheese Event
"Trust the awesomeness!" - Skippy the Magnificent

Snokio

#1
February 15, 2011, 09:29:05 PM
Sounds like a good idea, especially those using wifi hotspots IIRC?
​ Bring on the randomness!
Apparently I actually exist! Or maybe it was the drink?

Othbarty

#2
February 15, 2011, 09:30:24 PM
Yep, any user of a open wifi hotspot would be a easy target for session hijacking.
-=[dMw]=-Othbarty  ::  Mighty Cheese Event
"Trust the awesomeness!" - Skippy the Magnificent

BrotherTobious

#3
February 16, 2011, 11:48:42 AM
Firesheep is a pain in the ass, yeah I am with Oth here.
"It's hard, but not as hard as Arma!!!" Tutonic
"Over the centuries, mankind has tried many ways of combating the forces of evil... prayer, fasting, good works and so on. Up until Doom, no one seemed to have thought about the double-barrel shotgun. Eat leaden death, demon.." Terry Pratchett

smilodon

#4
February 16, 2011, 11:56:51 AM
This is why I never do any forum admin when I'm out and about on the road. Such as now for instance, as I'm sat in a coffee shop with an open wifi network. Sometimes I get requests from Game Admins to give access to a certain forum to someone. It has to wait till I get home. It would be nice to be able to admin the forum from any location.
smilodon
Whatever's gone wrong it's not my fault.

Tutonic

#5
February 16, 2011, 02:16:45 PM
As someone who suffered a Gmail account hack last night - I endorse this suggestion.

I suspect someone nabbed my password while I was logged into Gmail on my phone, probably on an open wifi network somewhere. Luckily Google spotted it and shut down my account before they could do any damage.
Hero of the Battle Of Chalkeia
"Don\'t worry, none of this blood is mine"


Gandalf

#6
February 16, 2011, 02:20:01 PM
Dunno about godaddy, but if this is something that is to be considered then I use trustico for SSL certs. This one will suffice I feel.

However, it'd be a global change as we'd need to change the config so everyone will be connecting over SSL and if we have any external API links (google analytics, wowhead spring to mind) then we will get this issue due to the browser complaining about mixed content warnings.
*G*

Cake: Four large eggs. One cup semi-sweet chocolate chips. Three/four cups butter or margarine. One and two third cups granulated sugar. Two cups all purpose flour. Fish shaped ethyl benzene. Twelve medium geosynthetic membranes. Three tablespoons rhubarb, on fire.

Othbarty

#7
February 17, 2011, 07:37:34 AM
Mixed content warnings are better than session hijacking imho, and godaddy was just a browser preapproved CA. As long as we post a message while sorting out the external links to sites like GA and wowhead over time, there really shouldn't be a problem. Thats what I think anyways :-)

Just remember that its your session that is hijacked, NOT your password...

Oh and tut, your pw is never transmitted in the clear to google... They enforce secure login. Most likely your pw was brute forced or guessed.
-=[dMw]=-Othbarty  ::  Mighty Cheese Event
"Trust the awesomeness!" - Skippy the Magnificent
Print
Go Up Pages1
User actions