Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unfortunately just encrypting the login page would not protect user accounts from Tunisia's ISP. The ISP can just sniff your session cookie and hijack your session instead. They won't be able to change your password but they can read and write all your other data.

The only real protection here is to go full SSL and not forget to set the SSL only flag on session cookies. Even then, you only have to wait till Tunisia buys a forged certificate for Facebook.



Or they just redirect all HTTPS requests back to HTTP. How many people would notice?


Presumably a Tunisan blogger may be "paranoid" enough to notice.

When it's your your password on the line (and possibly your ass in jail) data security is more than aggregate statistics.


Err, well, I'm pretty sure they could have logged in via HTTPS all along by just manually typing in http://www.facebook.com


If the URL starts with "http:", the attacker gets to decide which parts (if any) are going to be sent HTTPS.


Sorry, either either the autolinker or I screwed up that post. My point was that if people cared about security, they could have been visting the facebook login page by manually typing HTTPS in the first place.


True.

I don't use FB, but someone on Slashdot was saying it likes to reply with every link going to http anyway. Based on my experience with Twitter and other sites, this sounds very plausible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: