http://www.abdevelopment.ca/blog/drupalcon-security-followup-automatically-use-ssl-logins-drupalorg/feed en http://www.abdevelopment.ca/blog/drupalcon-security-followup-automatically-use-ssl-logins-drupalorg#comment-18 <p>Yes, session hijacking is still a problem. I'd hoped to write an updated version which would also force subsequent page loads to occur over SSL, but if there's concerns about d.o performance then perhaps I'll hold off. Perhaps the next conference WiFi will use WPA to at least make it more difficult for traffic sniffing to occur.</p> <p>Thanks for your comments!</p> Mon, 09 Mar 2009 01:15:14 +0000 andrew comment 18 at http://www.abdevelopment.ca http://www.abdevelopment.ca/blog/drupalcon-security-followup-automatically-use-ssl-logins-drupalorg#comment-17 <p>Alas, this isn't going to work. It's a different approach from my own (I wrote <a href="http://www.larks.la/weblogs/christefano/using_ssl_and_a_firefox_extension_for_a_more_secure_drupal.org">a Firefox extension</a> last year) and an interesting one at that, but Heine has already written the definitive post on this, <a href="http://heine.familiedeelstra.com/security-theater-dail-ssl-for-login">Security theater #1 - Using SSL for login</a>.</p> Sun, 08 Mar 2009 04:33:49 +0000 christefano comment 17 at http://www.abdevelopment.ca http://www.abdevelopment.ca/blog/drupalcon-security-followup-automatically-use-ssl-logins-drupalorg#comment-16 <p>Well, SSL is a good thing, but when you only use it for the actual login, you have actually accomplished very little, since a would be eavesdropper can still just grab your session cookie from the first regular HTTP request and use that to steal your account.</p> <p>So although this approach will protect the actual password, it doesn't help session hijacking. For that, we will have to serve up every single non-anonymous pageview via SSL. And that's currently not feasible.</p> Sat, 07 Mar 2009 09:46:53 +0000 Mikkel Høgh comment 16 at http://www.abdevelopment.ca