My ramblings on the stuff that holds it all together
When Web 2.0 Goes Bad…
Interesting article here and here on “side-jacking”; discussing people snooping session ID’s from URL strings to possibly bypass SSL security which is normally only applied at logon and then content typically reverts to non-SSL.
I’ve seen similar issues several times at airport or public Internet “Kiosks” and have accidentally walked into people’s airline reservations, webmail etc. by looking in the browser cache – and sometimes even in the address bar drop-down! as those machines don’t get wiped when you start/stop using them (easyInternet used to do a total wipe/re-provision of the OS once you’d finished using their machines)
Moral of the story? public kiosks are bad for doing anything you don’t want to share with other people even if you’re clever and choose the “secure session” option and if you can “sniff” a public WiFi connection you can get all of this over the air so game over anyway.
Of course session time-out typically means this is only vaid for “fresh” data… but still worth bearing in mind.
This is nothing new and has been around since the Internet started; but you’d think all the hip ‘2.0 tech companies and users would be up on this by now..