If I'm using websites that do not use HTTPS, but I'm on a WEP-protected Wi-Fi network, are my cookies safe from being sniffed by third-parties?
Are cookies only at risk during login, or am I at risk any time I use HTTP?
Asked
Active
Viewed 1,396 times
2 Answers
12
If I'm using websites that do not use HTTPS, but I'm on a WEP-protected Wi-Fi network, are my cookies safe from being sniffed by third-parties?
No. Outsiders can crack WEP networks almost as if they weren't encrypted at all, these days. Insiders have even more ease of access. Even on WPA/WPA2 networks, there are still exploits that enable insiders to sniff the traffic of others on the network. Lastly, there's always the risk of someone listening in on the wired side of the network where your data is not protected by the encryption used over the air.
Are cookies only at risk during login, or am I at risk any time I use HTTP?
Your data is at risk any time it is sent in the clear. Even if the login page itself is HTTPS, other webpages that transfer your session cookie over HTTP can put that account at risk. You are vulnerable as long as you remain logged in and the website is transferring your data un-encrypted.
The only effective way to protect your session cookies is to only use websites that transfer all data over HTTPS all the time, or use a VPN for everything. Even then, the VPN is only as trustworthy as the VPN service provider. There's also MITM attacks against HTTPS, so you've really got to trust the system and network you're on if that's your only protection.
Related:
Ways to secure yourself from Firesheep kiddies and other sniffing
Why is FireSheep such a big deal?
-
thank you very much. is my understanding correct, that in order to steal ones cookie, outsider needs to be able to connect to our wifi, then use FireSheep to catch a cookie. Once he gets the cookie he is able to connect to the site on behalf of other person? Or it is possible to intercept WEP/WPA/WPA2 traffic, decript it and then extract a cookie? – Chesnokov Yuriy Oct 05 '11 at 05:20
-
Actually your security can be compromised by session fixation even if you are (ultimately) connecting over SSL – symcbean Oct 05 '11 at 11:53
-
1@ChesnokovYuriy The easiest attack for third-parties to sniff traffic on WPA/WPA2 requires inside access, and man-in-the-middle positioning. For Open or WEP networks, you don't even have to be on the network to read the cleartext traffic. In any case, you still have to be concerned about the wired side of the network. And there's always the possibility that someone could take WPA/WPA2 encrypted packets home with them to be worked on there. Hopefully though, your session cookies will become invalid by the time those packets are decrypted offline. – Iszi Oct 05 '11 at 12:55
-
An addition to @symcbean's comment - you could be compromised if a session token issued in an http session is reused in an https session. The server-side fix is to not re-use session tokens - generate new ones every time you change session (from http to https, https to http, new login etc) – Rory Alsop Oct 05 '11 at 14:04
3
but I'm on a WEP-protected Wi-Fi network, are my cookies safe from being sniffed by third-parties?
no on the other side of the wifi base-station (the ethernet backbone) there could be a sniffer, WEP is only on the link from client to base-station
Are cookies only at risk during login, or am I at risk any time I use HTTP?
cookies get sent each time you send a request to the server that set the cookies so yes they are at risk
ratchet freak
- 325
- 1
- 8
-
then it needs to trust your ISP. is the same as easy for 3G internet connection? – Chesnokov Yuriy Oct 05 '11 at 05:21