|
|
|
|
|
|
by clocktower
5508 days ago
|
|
|
This is, in fact, what happened. An enterprising douchebag used Firesheep to sniff Twitter credentials, then #poopin'd a bunch of attendees. Malte makes oblique reference to this in the post. I'm not convinced it's the WiFi provider's job to hold users' hands here. Most of us don't maintain separate browsing habits for public networks and private networks. I know that I never had an "aha, should use Twitter over HTTPS now" moment once I started using the WiFi at JSConf, and that's my fault. In other words, session stealing can be resolved by the site itself (by forcing everything onto https, like GitHub has done), by the WiFi provider (by selectively redirecting traffic onto https and reminding people that the network is unencrypted), or by the end user (by being justifiably paranoid). In my mind, the former two aren't _obligated_ to help here, but may do it anyway just to avoid headaches all around. |
|
|