Firesheep

Posted by Aaron Massey on 26 Oct 2010.

A couple of days ago, Eric Butler presented a proof-of-concept Firefox extension that uses HTTP session hijacking. It’s called Firesheep. What is HTTP session hijacking? Here’s Eric:

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Eric may be underselling the commonness of this problem. It’s everywhere, and it needs to be addressed. However, just because it’s common and web developers need to fix it doesn’t make the use of tools like Firesheep legal.