sterlingz 7 Posted November 1, 2010 Share Posted November 1, 2010 As many have no doubt heard, the Firefox extension Firesheep has been released into the wild, allowing "session hijacking for dummies." In a nutshell, this extension allows anyone running it on an open WiFi network (say, at Starbucks) to see and even take over another user's Facebook, Twitter, Foursquare and many other services' accounts on that same network. Unfortunately, Evernote is on this list*. For non-premium users, it is now a trivial matter to have your account hijacked by another user on an open network. My recommendation would be to never use a standard Evernote account on an open WiFi network.But this brings up another point - I believe that secure access is really a standard feature, not a Premium one. I realize that Evernote has used SSL as a way to sell Premium accounts (it was a selling point for me). But I think the right thing to do is to protect all of your users from attack. There are many other Premium features. The threat of having your data compromised should not be a reason that you feel compelled to upgrade to Premium. That would be cynical.In the words of Eric Butler, Firesheep's developer: "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."I certainly hope that users of Facebook, Twitter and the like do indeed win by forcing the adoption of SSL across all transactions on all of these platforms. Google had already done so with Gmail, preventing this vulnerability. And my hope is that Evernote will do the right thing by all of its users, not just those of us who've elected to buy a Premium subscription.*Incidentally - the inclusion of Dropbox on this list is not accurate. Dropbox staff have already confirmed that their cookies are encrypted, all transactions are over SSL, and this extension does not work. It would be great to receive a similar confirmation from Evernote staff that they have tested it and SSL is properly implemented for Premium users and they are protected against this extension. Link to comment
This topic is now archived and is closed to further replies.