[Offtopic] Wi-Fi hotspot .. access accounts via VPN or SSL
stephen at melbpc.org.au
stephen at melbpc.org.au
Thu Aug 2 04:33:21 EST 2007
Quoted: "never use a Wi-Fi hotspot unless you are using VPN (virtual
private networking) or SSL (secure sockets layer) to access accounts"
Researchers: Web apps over Wi-Fi puts data at risk
Security experts warn that packet sniffers can collect cookie information
while a user is accessing rich Web apps over Wi-Fi
By Jeremy Kirk, IDG News Service August 01, 2007
Users who access Google's Gmail or the Facebook social-networking site
over Wi-Fi could put their accounts at risk of being hijacked, according
to research from Errata Security, a computer security company
It's not just those sites but any rich Web applications that exchange
account information with users, including blogging sites such as
Blogspot .. wrote Errata CEO (etal) in a paper.
Most Web sites use encryption when passwords are entered, but because of
the expense, the rest of the information exchanged between a browser and a
Web site is not encrypted, they wrote in a paper presented at the Black
Hat 2007 security conference in Las Vegas this week.
Using a packet sniffer, which can pick up data transferred between a
wireless router and a computer, it's possible to collect cookie
information while a user is accessing one of those sites over Wi-Fi.
Cookies consist of bits of data sent to a browser by a Web site to
remember certain information about users, such as when they last logged
Included in the cookie can be a "session identifier," which is another bit
of unique information generated when people log into their accounts.
By collecting cookie information and the session identifier with the
packer sniffer and importing it into another Web browser, the hacker can
get inside a person's account. The attacker may not, however, be able to
change a person's password, since many Web 2.0 applications require a
second log-in to change account information.
Nonetheless, it could allow a hacker to create blog postings, read e-mail,
or do other malicious activity. Meanwhile, the victim is directed to a
version of the Web page they intended to visit, which Errata
There is a remedy, however. "The consequence of this is that users should
never use a Wi-Fi hotspot unless they are using VPN (virtual private
networking) or SSL (secure sockets layer) to access their accounts," they
Message sent using MelbPC WebMail Server
More information about the offtopic