Firesheep - WiFi Security Issue

[ActiveCaptain]

Quote:

Originally Posted by SailFastTri

It seems you're raising alarms about everyone else's connection but haven't addressed legitimate questions about what's under your direct control.

Our site, like most, doesn't do enough. All purchase transactions are completely secure and that's the biggest threat for something like ActiveCaptain. That said, I'm working on putting everything under https because of these recent developments.

Of course, if users would follow the advice we've been promoting of using WPA routers or VPN tunnels, the threats would be minimized for all internet use including our site.

[capt_douglas]

Interesting and informative discussion, so thanks all for the comments.

No system is completely secure, as many of you realize. Whether I do my internet business via a computer in an internet cafe, via my personal laptop ethernet to a local service, or wifi (free or WEP), there's always a risk of your data being compromised.

The best we can do is to be aware, take all precautions, and understand that we must pick and choose where to do out personal or financial business.

[ActiveCaptain]

Quote:

Originally Posted by ActiveCaptain

Our site, like most, doesn't do enough. All purchase transactions are completely secure and that's the biggest threat for something like ActiveCaptain. That said, I'm working on putting everything under https because of these recent developments.

Geez, I'm quoting myself now...

We just finished cutting over our entire site. All transactions happen with https using our new secure and certified IP's. Any previously bookmarked URL's will automatically switch to https when they connect. Although the risk on ActiveCaptain was pretty low - I guess someone could see the lat/lot where you were looking or the articles you were reading.

[SailFastTri]

Quote:

Originally Posted by ActiveCaptain

Geez, I'm quoting myself now...

We just finished cutting over our entire site. All transactions happen with https using our new secure and certified IP's. Any previously bookmarked URL's will automatically switch to https when they connect. Although the risk on ActiveCaptain was pretty low - I guess someone could see the lat/lot where you were looking or the articles you were reading.

IMHO that's overkill. As you noted, is it really a concern if someone sees what lat/long you were looking at? If you just keep the user-login and e-commerce sections encrypted it would be adequate.

Also, it looks like you already do this -- but to prevent session hijacks sites should also use session cookies rather than embedding the session info in the URL.

[ActiveCaptain]

Quote:

Originally Posted by SailFastTri

IMHO that's overkill.

I don't think so. It shows that we care about our user's security. There's a new messaging system in ActiveCaptain and no one should feel like their private messages are being read because they're on an open network. We're a huge resource of reviews and many times people want their reviews separated from their email address (which we do). But now, no one sniffing the network traffic can put it together either.

In software development it's called "eating your own dog food". If I'm going to raise concerns about network security, we should be an example and try to protect our users.

[Auspicious]

Quote:

Originally Posted by ActiveCaptain

In software development it's called "eating your own dog food". If I'm going to raise concerns about network security, we should be an example and try to protect our users.

I think that's the most important issue. Jeff is standing by what he is recommending for others. It's good to be consistent.

[CarlF]

When I was having my offshore custom boat built, the builder submitted the deck layup schedule to an engineering firm. They reported back that it was "overkill".

Since the cost and weight difference between "acceptable" and "overkill" was negligible, the builder and I agreed that we didn't have a problem with "overkill". I thought about that a few months ago when 10ft waves were breaking onto that deck.

While ocean waves don't seem to be any more dangerous than last year, the security situation on the Internet is much worse than a few years ago and it's reasonable to assume that even worse is to come. Interesting piece in the New York Times today about the Chinese government's very successful attacks and thefts on both government and commercial sites - partly because a top Chinese government official googled himself and didn't like what he saw.

Jeff, thanks for going for "overkill".

Carl

[Islander]

You can now configure Hotmail to use a fulltime https connection, i.e. not just at sign-in. This will protect your Hotmail sessions from firesheep-type intrusions.

Go to your Inbox and click on "Options" in the upper right corner, select "More options ...".

Under "Customizing Hotmail" select "Advanced privacy settings" then select "Go to HTTPS settings" and select "use HTTPS automatically".

Click the Save button. That's it.

Cheers.