Firesheep and JonDonym

The Firefox extension Firesheep has caused a certain fuzz in the media some weeks ago (see e.g. lifehacker or Forbes). With its help one may sniff open WLANs and steal session cookies to hijack an active user session. In order to avoid this several solutions have been proposed. On the one hand one can try to detect Firesheep itself and act accordingly. On the other hand there is an option to flood the network with packets in order to impair Firesheep's functionality. Or, as a third and best choice, one just uses services that are only provided by SSL secured connections. Unfortunately, the latter is not available for services like Twitter that only secure the login page but not the session identifier.

Irrespective of which protective means a user deploys (if one at all) if one is using JonDonym Firesheep is not dangerous due to the fact that all traffic is already encrypted on the users' computer. That means an attacker using a WLAN or an Internet Service Provider is not able to get the sensitive data to hijack a particular session, be it provided by an unsecured or a secured (SSL) connection.

But, of course, the things just said only apply if one has no malware on the computer. That means in the current context to avoid just installing unreviewed browser extensions as these could easily contain Firesheep's (or similar) sniffing code without that being detected while surfing the Web.


    No Trackbacks


Display comments as (Linear | Threaded)

    No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.