Enterprise 2.0 optimize

(Wi-Fi) cookies are bad for you: Security of public Wi-Fi fails


Wi-FiAlmost all Web-based e-mail and other collaborative services just aren't safe to use over public Wi-Fi any more, due to a breach described today by a security firm CEO at the Black Hat security conference.

Web 2.0 services, even though the login's made through SSL (Secure Sockets Layer), are crackable through a simple workaround, announced by Rob Graham, the aforementioned security guru, at the Las Vegas Black Hat conference today. Unlimited access to your accounts only requires an ordinary network sniffer program to read the cookies sent to users by Google Mail, Yahoo, and scores of other sites. That cookie confirms the browser asking for data belongs the person just logging in, but using a copied cookie by a completely different browser makes unrestricted access to your accounts easy.

"If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you," Graham said during a presentation reported by The Register. "Web 2.0 is now fundamentally broken."

Any session not totally SSL-secured from beginning to end is crackable. The indefinite duration of many session IDs allows silent access to your accounts years from now, even after passwords change. Therefore, instant messenger services offered by Web 2.0 firms (again, Yahoo comes to mind) which use the same password as e-mail service are also crackable.

The one exception was Google, and only if the customizegoogle firefox extension is set to lock Gmail, Google Calendar, and Google Docs into requiring SSL encryption for their entire sessions.

How will this change your public Wi-Fi habits? Are you alerting your road warriors the only path to safety without a VPN is the Google-Firefox-extension trinity?

--------------------------------------------------------------------------------

Stay on top of the latest tech news Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

17 comments
deepsand
deepsand

Cookies are bad? What a mis-leading and ill informed title.

jely_pankyta
jely_pankyta

Although I'm using wi-fi, i'm kinda shocked!!!!!!

AndrewB
AndrewB

hell, public wifi is just that... PUBLIC. I don't like using it... and now that I have an AT&T 8525 with internet sharing, it is no longer a problem. The worst case scenario is that I have to deal with Edge in some fringe markets. Otherwise, 3G is more than fast enough for 99% of what I do online.

mchapman
mchapman

Question from an occasional user. You are talking about "public wi-fi" here. Does that include wireless provided by a hotel, say? Seems like it would. If so, and you don't use a locked-down Google account or VPN, is it safe to do anything requiring a password?

marka
marka

Most are wide open. Heck most have merged networks between cabled and wireless within the properties. Almost none use encryption (due to varied users abilities etc)... Personally, wifi is good for surfing and thats it. I run some wifi networks for hotels and I wouldn't trust them or any others for anything you need secured.

sbacheler
sbacheler

I do agree with you that there are many hotels that have the wired & wireless combined onto one network. I install these systems in hotels and resorts. The one thin that we do for security reasons is to set the accesspoints and the switches in to user isolation so that you are not able to look at the network and see other users. I have been in hotels where, if I looked for other comuters on the network, I could see even the hotels' computers and easily get into just about any of their folders/files. I do tell them that that is happening, and they are shocked.

sprinkl3s
sprinkl3s

To answer your questions wifi networks and hotels and the like are considered "public wifi networks" this is because for the most part they are open, there's no encryption on the traffic, and anyone can connect.

K7AAY
K7AAY

Casual e-mail and other communication over public Wi-Fi links are now known as insecure, unless a VPN is used or the Firefox-Google-extension combo forces SSL from beginning to end. What will you do about it?

thinker999
thinker999

Could someone provide a link, or a few details on this for those of us currently on the 'uninformed' list for that one? Thanks, much!!

billd
billd

> ... unless a VPN is used or the ... Sorry if I'm being dense, but isn't *any* connection via public wifi subject to exploit until a secure VPN tunnel is established?

rmathis
rmathis

>... Sorry if I'm being dense, but isn't *any* connection via public wifi subject to exploit until a secure VPN tunnel is established? Evan then there are still ways to get past SSL. I just say use a linux laptop and make sure to keep icmp off just to make it a tad harder. As for everyone else well keep this in mind its job security evan thou thats a bad way of putting it.

meryllogue
meryllogue

What makes it any more secure than a public wi-fi? (I do not have it hidden, btw, but I DO have it set to require a key.) Thanks.

Neon Samurai
Neon Samurai

Either the router constantly yells out the windows "hey, I'm here and I'm network [blah]" or it keeps it's mouth shut and every wifi devide you have constantly calls out "hey, I'm trying to connect to network [blah] are you there?" wherever you happen to carry them around home and town. "hidding" your wifi router does nothing outside of cosmetic apearances. The WPA AES preshared key keeps you nice and secure though so really the "hidding" points are moot.

Glastron
Glastron

I always assume that a open wireless connection is insecure. Nothing new there. Our city is going to free wireless access in the downtown area. It concerns me the people using this connection or any open connection do not have a clue as to its insecurity.

markinct
markinct

But I never, ever do anything on an unsecured public wi-fi connection that requires me to use a login id/password. I'll wait until I'm at home to check my e-mail and bank balances... (lots of the former, very little of the latter...)