And I understand your post now, my bad. Always should read things twice :P . AP spoofing is a big threat, and it's yet another good reason why never to enter your credit card to access wifi anywhere (besides the whole having to pay part :P ).

Who said anything about using public hotspots for secure transactions? Always a bad idea.

That said, the best way I've found to work around this limitation is to have an SSH server on my box at home, and set up my laptop to tunnel all my web traffic over SSH to my desktop. Any MITM attacks are then easily detected, because any potential attacker would have to present a different public key to either side, and SSH will report the probable MITM and exit. It also encrypts all traffic until it gets to your home network, preventing any packet sniffing. Here's a short tutorial I wrote up on the topic, it's a lot easier than you'd think: http://spareclockcycles.wordpress.com/2009/04/10/ssh-secure-browsing-via-socks-proxy/

I was at a McDonald's just today and tried to get on the wireless there. Unfortunately, it was a godforsaken Boingo hotspot (same as the ones that I curse at the airport on a regular basis), and the first thing it asked me for was my credit card number. Needless to say, I didn't stick around long...

They're just a developing country. (http://www.telecomasia.net/article.php?id_article=8986)

No prob, easy mistake. I remember experiencing the same thing on Windows a long while back, very annoying at the time.

You have missed something:P. All DVDs are encrypted via what's known as CSS, a very weak encryption but an encryption nonetheless. On Linux, libdvdcss will take care of that decryption for you transparently, but you do need to already have it installed for any of these ripping tools to work (including Handbrake). On Windows, you need to get something like AnyDVD or DVD43 to decrypt the DVD for you.

No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.

FAIL. Wrong link, my apologies...Google apparently hasn't cached it yet...

Here's a link to Google's cached version of the blog, in case anyone still wants to read it: http://tinyurl.com/cspfrq

You won't find one better than Handbrake, works great for me. Here's a howto I wrote on the topic: http://spareclockcycles.wordpress.com/2008/12/11/handbrake-for-dvd-ripping-on-ubuntu/

Well, I do, Firefox 3 on Ubuntu. Don't know what to tell you. I agree, doesn't really increase security all. But it sure does make people feel safe, and that's what really matters, right? :P

Yeah, you're right. My bad. Someone at Bank of America must have seen that demo and added in some javascript to do that.

http://www.securityfocus.com/brief/910

From everything I've read about this attack, it does not present an https:/// URL on unencrypted traffic, just attempts to trick you into thinking it is encrypted by covertly changing all the https:/// links to http:/// and presenting a padlock favicon on supposedly encrypted sites. It mainly relies on the hope that you don't notice the http:/// link. I would be interested to hear where you have seen otherwise though.

If you're using Firefox, unlike in the demonstration shown on the sslstrip site, it will show you where the link on a button goes to. Make sure that the mouseover link says https:/// and you should at least be better off. Although, then you can start doing things with javascript to change what the mouseover property displays, so there's still room for an attack I guess. Like I said, better to just make sure that there isn't a MITM and its not a problem.

On a side note, I did notice though that Bank of America (a site he showed off the attack on) has since made their home page SSL encrypted. Good for them.