[dangrossman]

Virtually everything flying around the network is unencrypted. Even if Facebook turned on SSL for the whole site, if I see you sitting next to me and can find your e-mail address, I just have to request a password reset and wait for your mail client to pick up the plain text email with the reset link. Either encrypt your whole connection or accept that you're secure enough because nobody is really listening.

Kinda like all the TSA articles floating around, you're not safe because someone's groping everyone before they get on the plane, you're safe because nobody was trying to get something onto the plane in the first place.

[rythie]

Firstly that alerts the person to the breach, because you have to change their password - which isn't true of a session hijack.

Secondly how are you getting the mail? I haven't been able to access my able without SSL for years and I lock my screen everytime I leave it + never leave my phone hanging around.

Thirdly would you even know the email address I used? I use a different one for each site.

[chrisbroadfoot]

Huuuuuuuh?

My mail is encrypted. You wouldn't be able to intercept the password reset.