2

Let's say I am already logged-in to my Gmail or Yahoo account using my 3G then I switched to a public WIFI in an airport or cafe.

  1. Is my username and password still vulnerable?

  2. What others kinds of information can the hacker get in this setup?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
IMB
  • 2,888
  • 6
  • 28
  • 42

3 Answers3

2

If you are using GMail or Yahoo all credentials should be transmitted over HTTPS and there for you are safe. If you where connecting to http://security.stackexchange.com or StackOverflow over an open WiFi network then someone is able to sniff your cookie and immediately login as you. This is because StackOverflow and secuirty.se are violating OWASP a9. Firesheep automates this attack by sniffing WiFi looking for http cookies to hijack.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 1
    Is HTTPS is still considered safe? I just read about "SSL Strip" and it seems SSL is no longer safe. – IMB Jun 19 '12 at 05:11
  • @IMB maybe you should post that question alone, and it will get ripped apart. :) Or better yet, you should see moxie marlin spike's talk on the topic of ssl strip, ssl sniff and the solutions to these problems. – rook Jun 19 '12 at 08:12
  • @IMB - SSL is perfectly safe. There are certain things you have to do right. You can setup SSL on your website incorrectly. Even when incorrect MiTM attack is pretty much the only way to intercept your packets. Your session is an entirely another story and has nothing to do with SSL honestly. – Ramhound Jun 20 '12 at 10:48
0

Suppose a MiTM scenario. You have already logged-in into Gmail or Yahoo meaning that the authentication has been already done and will be valid until the session expires. If the attacker could intercept the packets that you send, at most he could learn about the specific message that you are sending and nothing about your credentials. If your session expires and the authentication is done again, the attacker could learn about your credentials too.

a0viedo
  • 21
  • 2
-2

Your credentials are safe. Your session, even over SSL, could still potentially be attacked.

ExtraCuriousGuy
  • 27
  • 1
  • 1
    "_Your session, even over SSL, could still potentially be attacked._" how? – curiousguy Jun 20 '12 at 02:56
  • 1
    @curiousguy - Because of how Firesheep works. This answer is poor because it doesn't go into detail that if the entire session is encrypted then Firesheep is no longer able to work. – Ramhound Jun 20 '12 at 10:49
  • @Ramhound Firesheep [isn't able](http://security.stackexchange.com/questions/847/why-is-firesheep-unable-to-session-hijack-over-ssl) to attack if app uses SSL – Andrei Botalov Jun 26 '12 at 22:58