[dbtrade]

I know my connections have been insecure, but now that it has been publicized and the firesheep plugin has been released, I am very concerned about my Pre and WiFi out in the world.

Lamely, I have not provided links, but as you are probably aware, Firesheep can steal the cookies and sidejack accounts on most of the social sites. this INCLUDES gmail, facebook, twiiter etc.

So, in the past I have kept my WiFi on for my Pre as I walk about town. It logs into Starbucks for example if I am in there.

The autosync feature of my pre will automatically log onto some of the services that Firesheep can steal.

Therefore, I am looking for someway to insert VPN into the WiFi path of my phone and I guess disable automatic syncing of e-mail, or at lease automatic insecure WiFi log on.

While I can poke around the internals of my Pre and do some experienced user stuff, I am no expert at Linux security etc.

I am wondering if the real gurus of these forums have done any thinking about this and could proffer some ideas??

db

[thejasonhowell]

I'd like to see this happen.

[whodo_voodoo]

The autosync feature of my pre will automatically log onto some of the services that Firesheep can steal.

Is it logging in each time though or are the services storing log in cookies between sessions?

Not that it helps secure you from Firesheep if you did need to log in but might make the phone slightly more secure if the cookies are stored already.

[dbtrade]

Is it logging in each time though or are the services storing log in cookies between sessions?

Not that it helps secure you from Firesheep if you did need to log in but might make the phone slightly more secure if the cookies are stored already.

Well my understanding is that Firesheep grabs the cookies as they transmit. So, either way, no?

[RickNeff]

Well my understanding is that Firesheep grabs the cookies as they transmit. So, either way, no?

Why not just use the SSL connections instead of unencrypted connections? I believe that was the whole reason why Firesheep was developed: To highlight the need to connect via SSL rather than unencrypted traffic.

[whodo_voodoo]

In which direction though? I'm assuming it can grab cookies being transmitted to you but can it also grab the details when they're being sent from your device to the service you're using (ie have previously logged into a service elsewhere so still have the cookie stored and its then used when I next connect to the service).

Of course this all assumes my impression of how cookies and Firesheep works is correct.

[RickNeff]

Palm actually has a small whitepaper on WebOS security features: http://www.palm.com/us/assets/pdfs/b...r_Security.pdf

Of course, I'd also recommend not leaving WiFi on all the time.

[RickNeff]

In which direction though? I'm assuming it can grab cookies being transmitted to you but can it also grab the details when they're being sent from your device to the service you're using (ie have previously logged into a service elsewhere so still have the cookie stored and its then used when I next connect to the service).

Of course this all assumes my impression of how cookies and Firesheep works is correct.

SSL encrypts both directions, so that should never be an issue.

[dbtrade]

Firesheep sniffs all packets on the open network on which it is active.

I have some accounts that will not use SSL

[RickNeff]

I have some accounts that will not use SSL

But, that's the actual problem which WebOS really can't do anything about. You have to either use SSL or a VPN connection. Or, simply don't use sites that use unencrypted traffic.

Regarding your original questions, I'm not aware of any settings that allow for what you want to do.

[dsei]

For now, you're pretty much at the mercy of the services that use non-SSL connections. Your best defense is to use 3G instead of non-encrypted Wifi.

When 2.0 is released, you'll have the option to use IPSEC VPN which will facilitate what you're asking for. Of course, you'll need something to "VPN to" first.

[ryleyinstl]

Gmail should be using SSL on your webOS phone by default...check the settings to make sure.

[BobKy]

Using Wi-Fi? Firesheep may endanger your security

Some thoughts on BlackSheep and Firesheep

[Helidos]

WoW so a guy creates an extension for firefox to prove a point but instead of doing so in a controlled way. He releases it to the masses so that millions of peoples security are at risk. Brilliant!!

And people wonder why the world is in the shape it is in. Hey I need to prove a point about this toxic material, how could I do this? I know I'll dump it out by the ton into every major city and go see I told ya. /facepalm

[dbtrade]

For now, you're pretty much at the mercy of the services that use non-SSL connections. Your best defense is to use 3G instead of non-encrypted Wifi.

When 2.0 is released, you'll have the option to use IPSEC VPN which will facilitate what you're asking for. Of course, you'll need something to "VPN to" first.

Thinking about a proxy server for the Pre

[knobbysideup]

What services are you running on the phone that:
1) automatically connect to web sites and
2) use cookies?

I think the actual threat is likely less than you think it is. The things I have checking automatically are mail and some IM stuff, and that is all done over SSL or TLS.

The obvious solution is to keep wifi off. Is there a reason that you have it enabled to automatically connect to untrusted networks constantly?

[knobbysideup]

WoW so a guy creates an extension for firefox to prove a point but instead of doing so in a controlled way. He releases it to the masses so that millions of peoples security are at risk. Brilliant!!

And people wonder why the world is in the shape it is in. Hey I need to prove a point about this toxic material, how could I do this? I know I'll dump it out by the ton into every major city and go see I told ya. /facepalm

Your security has always been at risk. If you don't understand how trivial it is to sniff a public network and grab session IDs, that is nobody's fault but your own. HTTP is stateless, so you have to always send an identifier back to the server. Bummer. This also highlights how dumb it is for so-called webmasters to set up an SSL encrypted login page, only to then take the user to the actual site in cleartext. Cool, I can still get into your account.

You don't need a special firefox plugin to do this, and never have. The release of this makes the ignorant public aware of this, and perhaps puts pressure on web administrators to use SSL, since it's been around pretty much forever now.

Just wait till you see what one can do to you with DNS poisoning and metasploit reverse shells. Not even your firewall can protect you, my friend. And pretending to be the airport or unsecured coffee shop's wifi is always a good time.

[steev182]

I personally think Firesheep is proving an excellent point and by doing this, it should be forcing the likes of facebook to think a lot harder about their user security policies.

If you are so worried about Facebook being highjacked, stop using it, or only use your 3G connection.

[failmatic]

1. Connect your phone to your private wifi at home
2. Use facebook or ohter non https service
3. Use firesheep on your computer
4. check to see if it is able to access your account.

[lordbah]

Are Calendar and Contacts automatically making unsecured connections periodically? If so, can't we patch them to use HTTPS?