Firesheep protection - Page 2

sck18 · 07:00 AM

bump - can we force contacts/calendar to sync using https? Or are ALL google connections SSL if you select "always use https" for gmail?

Mr._Happy · 02/26/2011, 01:19 AM

If you use gMail there is an "always use https" setting.

Facebook has it now too - although using it screws some of the gaming apps up at this point.

tomlamb · 06/06/2011, 05:41 PM

Was anyone able to figure out if the Contacts use HTTPS when updating from Facebook, Twitter, LinkedIn, etc?

rcmarvin · 06/06/2011, 09:24 PM

Quote:

Originally Posted by lordbah

Are Calendar and Contacts automatically making unsecured connections periodically? If so, can't we patch them to use HTTPS?

I don't think so, at least not all of them. I've made a test, by making my Pre connect to my computer via WiFi, then creating a new Google calendar event and a new Google contact. I found out that I can view the new calendar event and contact easily (i.e. they are in plaintext form, not encrypted).

tomlamb · 12:34 PM

I am surprised that I could not find anything to verify that the Facebook app and contact interface are done through HTTPS or Http. With the AT&T phones normally set to automatically connect to their Hotspots (Starbucks) I would think there would be enough concern to at least have HP/Palm give a statement about it.

Update: According to a support supervisor, the default (LinkedIn, Facebook, Twitter) is to use http so that was not what I wanted to hear. If this is true, this would be a problem for those who automatically connect to AT&T hotspots as your info could get caught by Firesheep or FaceNiff. The supervisor said he would forward this as a feature request.

Unclevanya · 12:48 PM

Does anyone know if the LinkedIn contact sync and application use https?

tomlamb · 06/07/2011, 12:43 PM

The reply I got from one supervisor is that Facebook, LinkedIn, and Twitter by default connect via http. That is just one support session (started with a regular support guy and escalated to a supervisor) so you should take it with a grain of salt.

Unclevanya · 06/07/2011, 01:16 PM

Quote:

Originally Posted by tomlamb

The reply I got from one supervisor is that Facebook, LinkedIn, and Twitter by default connect via http. That is just one support session (started with a regular support guy and escalated to a supervisor) so you should take it with a grain of salt.

The answer they gave isn't really detailed enough - we need to know if the app and synergy both do this or if only one or the other do this. We also need to know if this can be changed easily or if OS patches are required.

Orion Antares · 06/07/2011, 01:46 PM

Quote:

Originally Posted by Unclevanya

Does anyone know if the LinkedIn contact sync and application use https?

Last I checked a couple days ago LinkedIn didn't yet support full session SSL but it's in their plans to do so. When they do though it will be off by default so you'll still need to turn it on in your account settings.

tomlamb · 06/07/2011, 02:48 PM

Quote:

Originally Posted by Unclevanya

The answer they gave isn't really detailed enough - we need to know if the app and synergy both do this or if only one or the other do this. We also need to know if this can be changed easily or if OS patches are required.

I agree completely. As I am a new to WebOS (only 1 day) I am not sure where to send this, but for now I guess I will just keep the Wifi off.

Unclevanya · 06/07/2011, 03:21 PM

Quote:

Originally Posted by tomlamb

I agree completely. As I am a new to WebOS (only 1 day) I am not sure where to send this, but for now I guess I will just keep the Wifi off.

Probably a good solution for the most part.

There are some SSL based proxies that would limit exposure on the local wireless network. These do not provide full ssl protection since they only provide the ssl tunnel to the gateway and from then on it's unencrypted again - but this does prevent people on the same lan stealing your info from the web browser - however it does not help for non-browser based connections.

Potentially a VPN could help - but in the same way as before it would be limited to protection at the local network layer - once it reached the gateway it would be decrypted and vulnerable but presumably this would be a smaller risk.

I haven't really tried either of these solutions with webOS - guess it's time to start looking into this.

02/18/2011, 08:42 PM	#21 (permalink)
sck18 Member Join Date: Mar 2002 Location: NY Posts: 191 Likes Received: 0 Thanks: 9 Thanked 0 Times in 0 Posts	bump - can we force contacts/calendar to sync using https? Or are ALL google connections SSL if you select "always use https" for gmail? Last edited by sck18; 02/26/2011 at 07:00 AM. Reason: typo
	Liked by

02/26/2011, 01:19 AM	#22 (permalink)
Mr._Happy Member Join Date: Feb 2010 Posts: 101 Likes Received: 1 Thanks: 23 Thanked 27 Times in 15 Posts	If you use gMail there is an "always use https" setting. Facebook has it now too - although using it screws some of the gaming apps up at this point. __________________ Trēo 650 -> Trēo 700P -> Trēo 755P -> Prē
	Liked by

06/06/2011, 05:41 PM	#23 (permalink)
tomlamb Member Join Date: Jun 2011 Posts: 29 Likes Received: 4 Thanks: 2 Thanked 0 Times in 0 Posts	Was anyone able to figure out if the Contacts use HTTPS when updating from Facebook, Twitter, LinkedIn, etc?
	Liked by

06/07/2011, 10:22 AM	#25 (permalink)
tomlamb Member Join Date: Jun 2011 Posts: 29 Likes Received: 4 Thanks: 2 Thanked 0 Times in 0 Posts	I am surprised that I could not find anything to verify that the Facebook app and contact interface are done through HTTPS or Http. With the AT&T phones normally set to automatically connect to their Hotspots (Starbucks) I would think there would be enough concern to at least have HP/Palm give a statement about it. Update: According to a support supervisor, the default (LinkedIn, Facebook, Twitter) is to use http so that was not what I wanted to hear. If this is true, this would be a problem for those who automatically connect to AT&T hotspots as your info could get caught by Firesheep or FaceNiff. The supervisor said he would forward this as a feature request. Last edited by tomlamb; 06/07/2011 at 12:34 PM.
	Liked by

06/07/2011, 12:37 PM	#26 (permalink)
Unclevanya Member Join Date: Aug 2010 Location: Charlotte, NC Posts: 1,483 Likes Received: 27 Thanks: 322 Thanked 203 Times in 168 Posts	Does anyone know if the LinkedIn contact sync and application use https? Last edited by Unclevanya; 06/07/2011 at 12:48 PM.
	Liked by

06/07/2011, 12:43 PM	#27 (permalink)
tomlamb Member Join Date: Jun 2011 Posts: 29 Likes Received: 4 Thanks: 2 Thanked 0 Times in 0 Posts	The reply I got from one supervisor is that Facebook, LinkedIn, and Twitter by default connect via http. That is just one support session (started with a regular support guy and escalated to a supervisor) so you should take it with a grain of salt.
	Liked by

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode