Firesheep is an extension for the Firefox web browser developed to illustrate the failure of many major websites to secure user access and data on their networks. When you log into websites such as Facebook and Twitter they may secure your connection and information when you log in but not as you post updates or otherwise interact on their social network.
"Sample of Firesheep" is (c) 2010 PhoneBoy and made available under an Attribution-NonCommercial-ShareAlike 2.0 license.
This leaves users open to a hacking attack known as session hijacking. Firesheep is effectively a point and click graphical user interface for the otherwise complicated hacking technique. With Firesheep, someone simply has to connect to a public wi-fi network, say at a cafe, open the Firefox web browser and activate Firesheep. There magically appears a list of all users currently logged into Facebook, Twitter, etc. Point, click, and you're posting photos and status updates as someone else, which in some states is ILLEGAL. Some University students have found that campus wireless networks may also be at risk.
So why would anyone every make such a tool again? That's right, to illustrate that popular websites with potentially sensitive data should be using encryption for the entire user session on their websites.
Why don't websites with millions of users encrypt their entire sessions? They say it's because it's costs lots of money. And in fact, some websites have the capability to encrypt entire sessions, such as Facebook. This part is key and it's what allows us as users to bring some level of sanity back into this issue.
If you've already installed NoScript as I suggested in a previous post about securing yourself against clickjacking attacks, you're in luck because it comes built in with functionality to force a redirect to an encrypted page if it's available. Browse to your Add-ons in Firefox and enter the Preferences for NoScript. Go to the Advanced tab. This will open up another set of tabs, click on the HTTPS tab. Here you can add websites to the force secure connections list. In this screenshot I have added Facebook, Twitter, and Google.
If NoScript is too complicated for you there is a somewhat easier extension to battle this encryption elephant in the room. This extension is called HTTPS-Everywhere and it is provided by the lovely and amazing people at the Electronic Frontier Foundation, who in fact always use encryption when users view their website. For added protection on Facebook, users are advised to view Tools>Add-ons>Firesheep Preferences and enable the "Facebook+" option. As it warns in this window, enabling this option may break some Apps.
Both NoScript and HTTPS-Everywhere currently break some functionality on Facebook, mainly the Chat feature.
Chrome/Chromium, Internet Explorer, Safari, and Opera users are out of luck. The current extension development tools for Chrome/Chromium and Opera are such that a redirect to a secure page can only take place after the user has exchanged information with the web server, thus making the encryption after that point already compromised. Google claimed to be fixing this problem in their latest release of Chrome/Chromium 10 but developers of these extensions have been unable to resolve the issue even with the latest 10 release.
No comments:
Post a Comment