15 comments

[ 3.5 ms ] story [ 49.6 ms ] thread
So someone in the audience was using Firesheep. Horrors.

https://twitter.com FTW

I agree. This strikes me as non-news. Side-jacking is a bad thing. We get it. Use VPN, use SSH tunneling, in general don't be dumb when using an open network. If possible use the https version.
The two tweets Kutcher made from TED were from the iPhone client and foursquare. Are there SSL options on those?
End to end crypto is great, but I generally use a VPN whenever logging in from a public network for all traffic, just to avoid this -- anyone sniffing my Gig-E uplink at the colo, or the backbone, or the site, will hopefully only see SSL traffic to sites, but just in case, I'd rather put an extra barrier up for the easy coffeeshop wireless sniffing attacker.
I came here to post this. You don't have to sit around and wait for Twitter to implement SSL. Many who implement SSL don't do so correctly anyway.

If you're using a public internet connection, make sure you're at least using a SOCKS proxy to browse or IM. Pretty simple setup: ssh -ND 8001 me@myserver, and use proxy localhost:8001.

> Many who implement SSL don't do so correctly anyway.

Yea, be careful in particular with mixed content. Depending on the origin of the insecure content and depending on whether the cookie was marked as "secure", these may or may not leak plaintext cookies.

Not related to Twitter, but I saw this in the comments:

Facebook does now have an 'enable SSL by default' option.

Account> Account Settings> Account Security> Secure Browsing (https)

Lifehacker had this a few weeks ago, after FireSheep was big.
Yeah, but it supposedly breaks lots of stuff, like third-party apps. Pretty useless for anyone who would need it.
Just make sure you don't use any part of the Facebook platform (that includes commenting on various sites, like buttons) or apps within Facebook as using any of them will revert the SSL setting back to off in the settings.
Yeah, but I saw this the other day from F-Secure about Facebook's SSL option:

http://www.f-secure.com/weblog/archives/00002106.html

"I tested several times and each time I found an application that asked me to "continue" to a "regular connection", my default Account Security settings reverted to HTTP."

i still see 0 use for twitter.
Sad to see this in relation to TED talks. The TED site has a great deal of integrity so seeing someone hack a person's twitter account is disheartening. No matter the cause, taking someone's account just to prove a silly point is wrong.