I read about Firesheep and wondered how I can protect my Spring MVC 3.0 site from attacks such as:
It is extremely common for websites to protect your password by encrypting the original login, but surprisingly unusual for sites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session capture (sometimes called "sidejacking") is when an attacker grabs a user cookie, allowing them to do something the user can do on a particular website. On an open wireless network, cookies basically screamed through the air, making these attacks extremely light.
Are there specific configuration options in Spring MVC that can help protect against this kind of attack?
According to the article:
The only effective fix for this problem is full end-to-end encryption, known on the Internet as HTTPS or SSL.
I have a Spring website that I run on the Google App Engine. Does this mean that I need to use Google account authentication, not the built-in authentication provided by Spring, if I want to avoid such an attack?
source
share