I’m a bit late to the party, but have you heard about Firesheep yet? It is an interesting Firefox plugin that makes what used to take a few keystrokes very very easy.
After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big “Start Capturing” button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you’re instantly logged in as them.
The key there is “open wifi” network. Mostly (more on that down below).
See, too many sites have people log into their accounts using SSL but then let them use the site without necessarily staying with SSL. This allows you to get your HTTP cookie hijacked – also known as “sidejacked” – and if someone can snag that cookie they can become you on that site.
Brief note: Sidejacking is nothing new. I want to clarify that what makes Firesheep interesting is how easy it makes it.
Now I, personally, never use open wifi networks but this still has caused me to make a few changes to some of my saved bookmarks. For instance, I’ve updated all my Facebook bookmarks to be over SSL (changed them to https://www.facebook.com to be specific). (Facebook is just one example here, I’m not picking on them alone.) I’ve done the same for a few other key sites that I noticed were back to http after I signed in.
If I don’t use open wifi, why do I care? Two reasons really:
- While sidejacking is nothing new, Firesheep definitely makes it very easy to play with. The bar to entry is one the floor.
- If it works so well over open wifi I can’t help but wonder if it would work just as well with an ethernet hub. Suppose I put a hub on the office network between the firewall and the switches. Now, suppose I plug in my Firesheep equipped machine into that same hub. hey presto, I’m seeing all the traffic, just like open Wifi right? I have lots of old hubs – and I bet I’m not the only one.That scenario scares me a little.
If you can, run your traffic over SSL. While visiting your commonly used sites (that involve login credentials) see what happens when you change the http to an https. As Steve Gibson suggested in “Why Firesheep’s Time Has Come” (worth a read) you might consider the Firefox extensions of HTTPS Everywhere or Force-TLS.
A quick search for Chrome equivalents didn’t turn anything up so I’m open to suggestions there.
Oh, and if you have to use open wifi networks (Starbucks is often mentioned) and you have sites that don’t let you stay SSL you might be interested in FireShepherd. Kinda hardcore in a good way. [hat tip to Security Monkey on that one]