Six Lines

Protection from Firesheep

Posted by Aaron Massey on 28 Oct 2010.

Now that Firesheep’s been out for a while, people are starting to actually see the problems it is causing. Here’s a quote from a great article on protecting yourself from Firesheep:

“I was in a Peet’s Coffee today, and someone was using Firesheep,” said Andrew Storms, director of security operations at San Francisco-based nCircle Security. “There were only 10 people in there, and one was using it!”

Don’t think that you’re safe. Don’t think that it won’t happen to you. Be careful when you’re using public wifi. Frankly, even without Firesheep, there are numerous tools that can be used to read unencrypted traffic on public wifi networks. Remember the TJX data breach back in 2007? Yeah, that was at least a billion-dollar wifi encryption snafu.

If you’re really concerned, read the Computer World article on protecting yourself. Check out the EFF’s HTTPS Everywhere plugin. Check out the ForceHTTPS plugin from Stanford’s Crypto group.

Lastly, if you’re just frustrated and wondering why someone would develop and release something like Firesheep, consider the alternative. Sidejacking is a serious computer security problem. It’s been a problem for some time. Web companies don’t want to use HTTPS because it is more expensive in terms of compute cycles, power, and–at the end of the day–real world costs. How is it going to be fixed unless these web companies view it as their problem? Consider this quote from the Computer World article:

“The real story here is not the success of Firesheep but the fact that something like it is even possible,” Butler wrote in his blog on Tuesday. “Going forward, the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.”

This is the purpose of full disclosure, which many security researchers view as a very important tool for improving the security of real world software. Firesheep is painful for a lot of people right now, but hopefully more companies will stop putting their users at risk and start using HTTPS by default as a result of Firesheep.