• Blogroll

  • DevelopSec

• Archives

  • March 2024
  • December 2023
  • January 2023
  • August 2022
  • February 2020
  • October 2019
  • May 2019
  • June 2018
  • November 2017
  • June 2017
  • February 2017
  • October 2016
  • September 2016
  • May 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • April 2015
  • October 2014
  • August 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • September 2012
  • August 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • September 2011
  • July 2011
  • June 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • April 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • August 2009
  • April 2009
  • March 2009
  • January 2008
  • December 2007
  • October 2007

Firesheep: A Repudiation Issue

I recently posted on some of the hype surrounding the new Firesheep FireFox extension. Today, ComputerWorld (http://www.computerworld.com/s/article/9194159/Is_it_legal_to_use_Firesheep_at_Starbucks_) had an article discussing the legal issues around the use of the tool. I believe the legal aspect is important, but could be very difficult to prove. I am more interested in the implications that this tool can have of the authenticity of the information found on some of the social sites.

We have all heard stories about employers checking Facebook or MySpace regarding their current or future employees. Some people have been fired or not hired based on content on their social sites. Relationships have been dissolved because of the information found on a spouse’s network. Most recently, cyber bullying has become a huge problem among school age users.

I will use Facebook as the example because it is one of the most known and understood social networks. If there is a tool that exists that makes it fairly simple for others to post to your wall (Firesheep), then to what extent can the information on your wall be trusted? Does this new tool make it easier for the offender to say that they did not post that message and that it must have happened while on a public hotspot? If the message was actually posted while at a public place, is it possible to prove whether or not the actual user posted it or not? I guess you could review the logs to look at the user-agent and look for anomalies, but a savvy user could defeat that very easily. It would be pretty difficult to show which computer actually did the post.

What does this effect? Remember that employee that got fired for posting something offensive or against corporate policy? Did he post it? Did an attacker post it? We run into an issue of repudiation. If they cannot prove the user did or did not post the material then you cannot find them guilty. This could make it difficult for employers, or other entities from relying on information on these sites.

I understand the point of the tool is to show the weaknesses in the security for these sites. I believe that it should also show that the information found on these sites may not necessarily be as accurate as we once thought. Use the information with caution, as it could come back to haunt either party.

Comments

• Follow Us

  

  

  

  
  
  
  

• Recent Posts

  • Securing the Forms Authentication Cookie with Secure Flag
  • Does ASP:Textbox TextMode Securely Enforce Input Validation?
  • Disabling SpellCheck on Sensitive Fields
  • What is the difference between encryption and hashing?
  • XmlSecureResolver: XXE in .Net