hey i found a new toy for iceweasel
storkus at storkus.com
storkus at storkus.com
Tue Feb 5 01:28:00 MST 2008
Uhhhhhh...I wonder how many other mail providers or programs/suites this
vulnerability applies to. I just got a new e-mail account and it does
the
full-time https thing. Considering that my internet connection goes
over our 802.11b system in the clear, the thought of those session ID's
and
passwords going in the clear worries me, especially with the number of
people I see getting DHCP leases (but not past the captive portal) on
our system!
And those are just the ones dumb enough to be seen...
Mike
On Mon, 4 Feb 2008 21:18:23 -0800, "Kristian Erik Hermansen"
<kristian.hermansen at gmail.com> said:
> On Feb 4, 2008 9:00 PM, Micah DesJardins <micahdj at gmail.com> wrote:
> > If you use
> >
> > https://mail.google.com
> >
> > instead of http://mail.google.com it remains encrypted after you log in.
>
> This is not necessarily true. There have been attacks in which Google
> session ids can be compromised if for a time HTTPS is disrupted.
> Google then attempts to utilize the non-https session and exposed the
> id, which can then be used to log into the account without a user/pass
> combo...
> --
> Kristian Erik Hermansen
> "Know something about everything and everything about something."
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list