arstechnica.com — Don't be fooled by that login screen on your Facebook, Gmail, or Blogspot account. It's easier than ever for hackers to get in between you and your data by hijacking your session information over WiFi to do all sorts of malicious things, says one security firm.
Aug 1, 2007 View in Crawl 4
stupergeniusAug 2, 2007
You pay your ISP some dollars more per month or use something like <a class="user" href="http://www.dyndns.com/services/dns/dyndns/.">http://www.dyndns.com/services/dns/dyndns/.</a>
sjbdallasAug 2, 2007
Using instant pudding, a graham cracker crust, and tub of cool whip is easy. Making dough, rolling out the right thickness, getting into a pie crust w/out tearing, chopping up the fruit to the right size, measuring out the right amount of sugar and spices, figuring out what kind of top to have (fully covered or lattice), getting that put on right, then trying to bake it so the edges don't burn but the inside cooks? Huge pain in the butt.
error601Aug 2, 2007
Step away from the bong.
lordofshadowsAug 3, 2007
The http protocol is stateless, it doesnt remember if you are logged in or not. Cookies were added to provide state to http protocol. A cookie is pretty much a plain text line in the http request that you can set to whatever you want, it provides state by sending whatever you want to remember to the server every time you request a page. A sessionid is a cookie that the server uses to identify you when you are logged in. (It uses a unique id to identify you instead sending the actual persistant data) Webpages like gmail use a secure connection so people with packet sniffers dont get to see your username and password sent in plaintext. (literally user=bob&pass=bobisgod) which is good. But then they leave the secured mode and send out your sessionid in plain text. Which, if found out by some one else, while you are logged in, would allow some one to be logged in as you. -- They wont know your password, but it doesnt matter much cause they are already logged in. Example http request with php style session id: (that number is the only thing seperating your logged in state from some one elses) GET / HTTP/1.1 Host: www.digg.com Cookie: PHPSESSID=123456b0bf8a8f2fd46f43925b4c47b1;
aallaannAug 3, 2007
If you use PSK then any authorized user can sniff packets from any other authorized user. So the same attack is possible, but only those who have the pre-shared key can launch the attack. Still you probably wouldn't want your kid breaking into your onine accounts.