How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?
Currently I use a VM to keep the browser instances separate, but is that necessary?
Browsing other sites while logged in
Browsing other sites while logged in
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Browsing other sites while logged in
No and no.barbaz wrote:How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?
Currently I use a VM to keep the browser instances separate, but is that necessary?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: Browsing other sites while logged in
Awesome, thanks for telling me.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Re: Browsing other sites while logged in
A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.
However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them .
However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them .
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Re: Browsing other sites while logged in
So it's not up to NoScript to defend against this? With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?Thrawn wrote:A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.
However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them .
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Browsing other sites while logged in
Unencrypted connections don't allow "other sites" to sniff anything. Web sites can't "sniff" each other traffic, no matter if it's encrypted or unencrypted.barbaz wrote:With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?
Other sites can steal credentials or impersonate you by using web application level attacks, such as XSS or CSRF, which -- if the web site is affected and/or you're not protected by NoScript -- work independently from encryption (HTTPS won't save you from session riding or a XSS attack).
HTTPS/encryption prevents your traffic from being sniffed by other parties on public networks, or by your ISP if interested.
Hence sound advices, if you value your credentials in forums like these, are never use them on a public Wi-Fi spot and always use unique passwords (don't recycle across sites). The latter advice, of course, is valid in any case for any web site, because your password can be stolen in its stored form if the website's database gets compromised (even if it's stored encrypted like it should, it's usually just matter of time for an offline attacker), or a site operator can intercept it on the fly by backdooring the login form.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: Browsing other sites while logged in
If it requires an attack scenario to steal my password/authentication, and since I always log in here with a browser running NoScript... I guess I'm safe then as long as I only log in from networks I know and trust that don't use unencrypted Wi-Fi.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21