Session Hijacking in New York

Mozilla people spend a lot of time thinking about security – how to make the browser even more secure, and how to keep our users safe from phishing and data theft. Although our phishing protection (based on people reporting bad sites) is pretty good, you can imagine “perfect” phishing protection – where someone who knew all the signs of phishing were sitting there watching a user surf, and tapped them on the shoulder to say “don’t do that” when they were about to get phished.

With that kind of perfect, no-false-positive warnings about dangerous things, then the problem would be eliminated, right? I mean, no-one would carry on doing something dangerous to their privacy or security after being personally and specifically warned about the danger of their current actions by another human being, right?

Wrong.

7 thoughts on “Session Hijacking in New York

  1. mozila still good compare to other browser. Hope it will continue further with me upcoming add on and lite & trendy browse

  2. Some even see that constant look at what they are doing by their software and possible tap on the shoulders by it as a privacy intrusion in itself and wander off to a product like SeaMonkey that doesn’t include “safebrowsing” as of now. No kidding, I read a number of such messages and as a member of the SeaMonkey and wider Mozilla teams/communities, I never know if I should laugh or cry about that.

  3. Kairo: SafeBrowsing doesn’t send the URLs you visit to anyone, it downloads a blacklist. And I think this is the right tradeoff for the vast majority of people. But if you don’t want any SafeBrowsing at all, you can turn it off in the preferences. There’s no need to switch to an alternative product.

  4. Gerv, we know the facts. The problem is, these privacy fanatics don’t. Look around in forums – everybody is absolutely certain that Mozilla is getting each address you visit.

  5. Addition to the above: I don’t think that the facts are particularly hard to find or to understand. It’s more like there is a significant group of people who simply don’t care about the facts, they prefer being hysterical. Or maybe it’s the mass media conditioning people to the evil word “Google”.

  6. Bear in mind, we’re talking here about Facebook accounts. When people post something on there, they sort of *expect* people to read it. That’s kind of the point. Telling them “Look, I got into your Facebook account and read your stuff” is kind of like saying “Hey, your underwear are showing” to people who deliberately wear their pants too low so that their underwear show.

    Okay, so some of the people quit and/or left. That could mean they were shocked that this was possible and will be more careful in the future. Or it could mean they finished their latte. It could also mean they were annoyed that a complete stranger was bugging them.

    When some random dude you don’t know sits down at your table in a restaurant and starts talking to you, what do you do? Do you stop going to restaurants? Or do you just leave this time and try to avoid that particular annoying stranger in the future?

  7. Jonadab: there’s a difference between wanting your friends to read something and wanting everyone to read it (albeit a difference Facebook is trying hard to erode). And there’s also a big difference between wanting people to read your stuff, and wanting them to be able to impersonate you. Firesheep is not about being able to read people’s Facebook pages, it’s about being able to log in as them!