Login  |  Register  |  Contact

Cool Sidejacking Security Scorecard (and a MobileMe Update)

First, for our non-technical readers who want to know more about this Firesheep/sidejacking thing, check out my relatively non-geeky article over at TidBITS.

After that, George Ou put together a great sidejacking security scorecard for a double fistful of major online services. He rates each site’s risk across their various services for full hijacking and full and partial sidejacking. Needless to say, very few services fare well.

Being a Mac geek, one service not mentioned is Apple’s MobileMe. I did some poking myself, and MobileMe both uses full-session SSL for all sessions, and sets a secure credential cookie so it won’t pass over basic HTTP. Also, the default for all MobileMe sync services is encrypted connections (I don’t have time to confirm with Wireshark, so I’m currently accepting other articles for that statement).

See… a reason Apple should buy Twitter ;)

—Rich

No Related Posts
Previous entry: White Paper Release: Monitoring up the Stack | | Next entry: Incite 11/3/2010: 10 Years Gone

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By cji  on  11/03  at  06:23 AM

This is a very welcome but relatively recent change for MobileMe - they used to do SSL for login only, and not have SSL available for any other portion except for the Find my iPhone and Account Settings pages. I think the full SSL change happened around the time the new “iPad-like” interfaces came out this summer.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?