Cool Sidejacking Security Scorecard (and a MobileMe Update)By Rich
First, for our non-technical readers who want to know more about this Firesheep/sidejacking thing, check out my relatively non-geeky article over at TidBITS.
After that, George Ou put together a great sidejacking security scorecard for a double fistful of major online services. He rates each site’s risk across their various services for full hijacking and full and partial sidejacking. Needless to say, very few services fare well.
Being a Mac geek, one service not mentioned is Apple’s MobileMe. I did some poking myself, and MobileMe both uses full-session SSL for all sessions, and sets a secure credential cookie so it won’t pass over basic HTTP. Also, the default for all MobileMe sync services is encrypted connections (I don’t have time to confirm with Wireshark, so I’m currently accepting other articles for that statement).
See… a reason Apple should buy Twitter ;)
This is a very welcome but relatively recent change for MobileMe - they used to do SSL for login only, and not have SSL available for any other portion except for the Find my iPhone and Account Settings pages. I think the full SSL change happened around the time the new “iPad-like” interfaces came out this summer.