Kindle cookies?

[6charlong]

I was reading about Firesheep (http://www.pcworld.com/businesscente..._spx_h_cbintro) and it got me wondering how safe it is to connect a Kindle to Amazon over a public Wifi connection.

Perhaps there are no cookies passed since every Kindle is known to Amazon (assuming they each have a unique identifier burned in at the factory), but if you use the browser to go to other sites could Firesheep work on a Kindle session?

I lack technological sophistication. Maybe this question is nonsense. I was just wondering how comfortable to get on public Wifi services with a Kindle or iPad.

[paperwastage]

Kindle 3 using wifi... unsafe obviously... if you go through https, it should be safer

the kindle 3 HAS cookies stored... dont understand ur question about cookies passed

[6charlong]

Quote:

Originally Posted by paperwastage

Kindle 3 using wifi... unsafe obviously... if you go through https, it should be safer

the kindle 3 HAS cookies stored... dont understand ur question about cookies passed

It's quite possible that I missunderstood what's happening after I read this article:

http://www.pcworld.com/businesscente...tml?tk=mod_rel

It seems like the way Firesheep works is to snag a cookie from a site you access from a public access point--hopefully not your bank--and then the black hat uses it later to spoof your identity at the site that sent you the cookie. So I wondered if the Kindle receives cookies and stores them to authenticate you at later visits.

I was thinking that maybe Amazon burned all but the IP address of the Kindle into the CPU or something (at the factory) so they didn't need to pass a cookie that could be used to access your actual account.

[Mithent]

It's possible that the Kindle does not use cookies for access to the store, because it's not accessed through the web browser and may therefore use some other method of authentication which Firesheep does not intercept. However, even if it transmits another unique ID that Firesheep can't currently capture, it would be possible to intercept that on an unsecured network if it's transmitted in the clear/unencrypted. There's nothing particularly novel or special about Firesheep - packet sniffing isn't some new exploit, it's unavoidable with an unencrypted connection. It's just a packaged-up tool to use packet sniffing to specifically steal cookies.

Hopefully the Kindle encrypts all its ID/login-related communication with Amazon; if that's the case then none of this would be a concern.

[HarryT]

Quote:

Originally Posted by Mithent

It's possible that the Kindle does not use cookies for access to the store, because it's not accessed through the web browser...

I really must disagree - the store most certainly IS accessed through the web browser.

[Mithent]

Quote:

Originally Posted by HarryT

I really must disagree - the store most certainly IS accessed through the web browser.

You can access the full Amazon website using the web browser, but I was under the impression that the built-in Kindle store was separate, since it's fixed-purpose. They do not behave in the same way, e.g. the store has pages which are switched between with the turn page buttons, and you do not ever scroll as you do in the browser. The store also renders in exactly the same way on the Kindle 2 and 3, despite the different web browser. but differently on the Kindle 1, to suit its navigation control. But I could be wrong, perhaps they do share code.

Of course, it could pass some other kind of authentication over HTTP rather than using cookies, I suppose.

[HarryT]

Sorry, I should have elaborated. You are correct that the Kindle store is not accessed via the "standard" Kindle web browser interface, but I am 99.9% certain that it is being displayed as web pages, and displayed using exactly the same HTML display control that the "standalone" web browser uses.