So there's been a bit of a stir about this firefox extension firesheep which allows you to hijack popular website sessions on open wifi networks.
this intrusion is possible because most websites —including Facebook and Twitter— only encrypt the user's initial login.
"When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a 'cookie' which is used by your browser for all subsequent requests. It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable," he explained."
Does Drupal (and therefore every Drupal website on the planet) have these same security vulnerabilities? Is it up to website admins to insist on serving their sites over https?
According to the author, he released this tool to raise awareness of these serious security issues. I know but the basics of web security and this has really sparked my interest.
Now that I'm aware of this issue, I feel responsible if anything ever happens to one of our client sites via an attack of this sort. Though this is (very) highly unlikely, I'd like to enact preventative measures.
Is there something that Drupal could do to reduce the risks or at least help raise awareness of the issues/what web admins can do to protect themselves?
Thanks.
Read »
