firesheep

victor steinbok aardvark66 at GMAIL.COM
Fri Sep 16 18:37:31 UTC 2011


No, not "fireship", which is in OED, of course. And it comes with another
kind of "jacking" that we've previously failed to mention in the thread on
"jacking": sidejacking.

Verisign has a whitepaper on site security--well, of course, it's on site
security because that's what they do! The whitepaper has restricted access
not so much because they want to filter out the riff-raff, but because they
want to see who is interested, so that they can bombard them with needless
offers of services. But I digress.

The title of the paper is

PROTECTING USERS FROM
FIRESHEEP AND OTHER
SIDEJACKING ATTACKS WITH SSL

I'll be happy to forward it to anyone who is interested--it's only 5 pages.

More on firesheep:

Firesheep allows an attacker connected to the local network to monitor the
> web sessions of other users on that network. The attacker can then also
> commandeer the sessions of others, acting in their user context.
> Firesheep specifically targets open Wi-Fi networks, but the problem is the
> same on conventional wired Ethernet networks.


 And on sidejacking:

An attacker monitoring an open network can see not only the data sent
> between the server and client, but also the data in the unsecured
> cookies. The cookie data then can be used to spoof the user with an attack
> technique known as /sidejacking/, which is one form of session hijacking.
> This is what Firesheep does.


 Note that this last one is a capital-F Firesheep--not quite the same as the
earlier defined term:

*Firesheep* is an extension for the Firefox web browser developed by
> Eric Butler and released in October, 2010 at ToorCon 12, a hacker conference
> in San Diego. It uses a packet sniffer to intercept unsecured cookies. It
> displays the names of users on the local network and the services to which
> they are connected. The attacker can connect to those services using
> the victim user’s credentials by double-clicking on the name.


 Before you jump into the search--packet sniffer and packet sniffing are
both in the OED on-line (from 1989 and 1991, respectively).

CPU is in OED (from 1962), as are USB (1995), HTTP (1992), TCP (1974) and
TCP/IP (1980), but other common abbreviations are not: VOiP (or VOIP), VPN,
SSL. Nor is the combination "security layer", which goes well beyond
computing. "Certificate authority" (CA) also is not in OED, which is not
surprising, since the computing meaning of "certificate" is not listed
either (nor is "certificate management", which only makes sense in computing
context).

VS-)

------------------------------------------------------------
The American Dialect Society - http://www.americandialect.org



More information about the Ads-l mailing list