I agree. This strikes me as non-news. Side-jacking is a bad thing. We get it. Use VPN, use SSH tunneling, in general don't be dumb when using an open network. If possible use the https version.
End to end crypto is great, but I generally use a VPN whenever logging in from a public network for all traffic, just to avoid this -- anyone sniffing my Gig-E uplink at the colo, or the backbone, or the site, will hopefully only see SSL traffic to sites, but just in case, I'd rather put an extra barrier up for the easy coffeeshop wireless sniffing attacker.
I came here to post this. You don't have to sit around and wait for Twitter to implement SSL. Many who implement SSL don't do so correctly anyway.
If you're using a public internet connection, make sure you're at least using a SOCKS proxy to browse or IM. Pretty simple setup: ssh -ND 8001 me@myserver, and use proxy localhost:8001.
> Many who implement SSL don't do so correctly anyway.
Yea, be careful in particular with mixed content. Depending on the origin of the insecure content and depending on whether the cookie was marked as "secure", these may or may not leak plaintext cookies.
Just make sure you don't use any part of the Facebook platform (that includes commenting on various sites, like buttons) or apps within Facebook as using any of them will revert the SSL setting back to off in the settings.
"I tested several times and each time I found an application that asked me to "continue" to a "regular connection", my default Account Security settings reverted to HTTP."
Sad to see this in relation to TED talks. The TED site has a great deal of integrity so seeing someone hack a person's twitter account is disheartening. No matter the cause, taking someone's account just to prove a silly point is wrong.
15 comments
[ 3.5 ms ] story [ 49.6 ms ] threadI had to read that sentence like five times in order for it to make sense.
http://en.wikipedia.org/wiki/Garden_path_sentence
https://twitter.com FTW
If you're using a public internet connection, make sure you're at least using a SOCKS proxy to browse or IM. Pretty simple setup: ssh -ND 8001 me@myserver, and use proxy localhost:8001.
Yea, be careful in particular with mixed content. Depending on the origin of the insecure content and depending on whether the cookie was marked as "secure", these may or may not leak plaintext cookies.
Facebook does now have an 'enable SSL by default' option.
Account> Account Settings> Account Security> Secure Browsing (https)
http://www.f-secure.com/weblog/archives/00002106.html
"I tested several times and each time I found an application that asked me to "continue" to a "regular connection", my default Account Security settings reverted to HTTP."