

Discuss HN: How to solve the wifi insecurity problem - EGreg

A couple days ago, people posted a story going around about session cookies being transmitted via wifi, allowing anyone in the vicinity to hijack a facebook account or something else as sinister.<p>It was suggested that sites don't just use ssl for everything because it's too computationally expensive, or something. Is that true?<p>I started thinking about solving the problem using pure HTTP connections (after doing the login using https, of course) and it seems to me that there are many possible solutions.<p>One would be to generate a seed for a sequence of "one time session keys" that would be invalidated when you log out. You could store it in localStorage, or in a cached javascript resource which was originally retrieved with ssl. You would, of course, reload this resource on the next login.<p>You could use cookies to store the index number of the "one time session key" that should be used next, and increment it after every request.<p>Seems simple enough -- does anyone have any comments about this scheme? I might implement it in my own site.
======
cperciva
_Seems simple enough -- does anyone have any comments about this scheme? I
might implement it in my own site._

<tptacek>Do not use homegrown cryptography to protect your website. Seriously.
Just use SSL. The problem you mention of SSL being too computationally
expensive? That's a Maserati problem.</tptacek>

In all seriousness, I agree with Thomas's standard opinion in this case. There
are theoretical ways to do this securely, but the odds of anyone actually
doing it correctly are low to zero. Unless you really really know what you're
doing -- and if you did, you wouldn't bother coming to HN for advice about it
-- you're much better off just using SSL.

------
Udo
It's a good idea in theory, but in practice this will be just one more massive
JavaScript disaster that's bogging down the connection on both ends for little
actual security in return. See, it's the current short-time session that's
most likely to be used against you, right there when you're sitting inside a
Starbucks and enjoy that latte. Apart from this shortcoming, this scheme will
also be difficult to maintain and will probably bring a lot of new exploits
into the system that haven't been there before.

The solutions here are really simple. Instead of bolting dubious schemes onto
HTTP to solve problems that should have been addressed in other layers, let's
actually solve it in other layers! Switching to WPA2 is something pretty much
any access point could do right away. In the long term, however, I believe we
should break the stranglehold browser makers (with the oh-so-open Firefox
among the worst) and cert authorities have over HTTPS.

(I'd also like to point out, again, how disgusting it is that people are
claiming we just discovered this brand new vulnerability, when in fact it has
been exploited by mediocre black hats since the dawn of time. Everybody's been
knowing this for years, including every single web developer out there.)

~~~
EGreg
Agreed. Still, I don't see why not to implement this, as it will enable me to
claim my site is safer to use over wifi than other sites.

