This week’s Thursday Threads looks at a big hole in the security model of most internet sites that require you to log into them with a username and password plus a pair of stories about “big media” battles. If you find these interesting and useful, you might want to add the Thursday Threads RSS Feed to your feed reader or subscribe to e-mail delivery using the form to the right. If you would like a more raw and immediate version of these types of stories, watch my FriendFeed stream (or subscribe to its feed in your feed reader). Comments, as always, are welcome.
Users of Non-SSL Sites are Prone to Hijacking
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Most of the coverage of Firesheep this week focused on the fact that using Facebook on an open wi-fi network in a coffee shop makes you prone to having your account broken into. That is true, and perhaps most the most common scenario, but the problem goes deeper than that. This can occur at any point where a third-party can intercept the communication between your browser and the web server: your home wireless router, your internet service provider, or even some types of local area networks. The real answer is to have the entire session — from the point when you log in to when you log out — encrypted. Google recently made this the default for GMail sessions, and some of the engineers involved in the effort published findings about how the SSL encryption overhead isn’t that bad. In the meantime, Network World has some options to consider to protect yourself a little bit from this kind of attack. (Hat tip to Dan Scott on Code4Lib IRC.)
Cory Doctorow on the Role of “Free”
The topic I leave my family and my desk to talk to people all over the world about is the risks to freedom arising from the failure of copyright giants to adapt to a world where it’s impossible to prevent copying. Because it is impossible. Despite 15 long years of the copyright wars, despite draconian laws and savage penalties, despite secret treaties and widespread censorship, despite millions spent on ill-advised copy-prevention tools, more copying takes place today than ever before.
As I’ve written here before, copying isn’t going to get harder, ever. Hard drives won’t magically get bulkier but hold fewer bits and cost more.
Networks won’t be harder to use. PCs won’t be slower. People won’t stop learning to type “Toy Story 3 bittorrent” into Google. Anyone who claims otherwise is selling something – generally some kind of unworkable magic anti-copying beans that they swear, this time, will really work.
Cory writes this piece in the U.K. Guardian in response to a column from a fellow Guardian writer on how creative people can control their own intellectual property and some media companies’ demands for digital rights management are actually stifling creativity. It starts as a rant and moves quickly into a powerful summary of what is at stake in the “copyright wars.” (Hat tip to OCLC’s Above the Fold.)
What Network Neutrality Really Means
In its continuing contract showdown with Cablevision, the News Corporation tried to extend its blackout of the Fox Broadcasting network to Fox.com and to Hulu, the popular Web site for free TV viewing, on Saturday. Angry Cablevision customers reported being unable to watch episodes of “Glee” and “House” on Hulu.
The blackout caused shock waves because it had not been done before by a programmer. Though the shutdown was brief, the message was unmistakable: do not expect to be able to watch Fox online unless you are paying for Fox on TV.
The attempted Web blockade was leverage for Fox in its contract negotiations, but more important, it was the latest evidence that entrenched media companies hope to replicate their walled gardens in a new medium, the Internet.
Broadcast and cable companies in the New York City area are locked in a dispute over what the latter needs to pay the former for the right to retransmit the content on cable TV. The dispute spilled over into the internet when the cable company started blocking internet subscribers from reaching the broadcast company’s shows on its website and on Hulu. This could be seen as a litmus test for net neutrality: should an internet service provider be able to decide what content it sends to end-users — either by giving preferential treatment to some content or by blocking other content? The dispute, by the way, continues…even impacting those who want to watch baseball’s World Series.