October 27, 2010
The road to Hell is paved with good intentions. I was reminded of that today when reading about Firesheep, a Firefox addon that lets anyone who knows how to click a mouse steal the account credentials for anyone on an open Wi-Fi network. The developer, Eric Butler, claims to have been frustrated by what he perceived as a lack of attention being paid to HTTP Session Hijacking. That led him to create Firesheep, which gives anyone within wardriving distance of your open wireless network the ability to just click on your name and be automatically logged in to your Facebook, Twitter, Hotmail, Yahoo, and dozens of other accounts.
According to Butler, the real problem isn't the open Wi-fi, but rather the sites' failures to properly secure the transactions. For example, some sites don't use HTTPS at all; others use HTTPS only for the login page but after that it's all HTTP again, or some use HTTPS throughout but don't secure the cookie itself. Since the cookie gets sent along with subsequent requests (like clicking the Like button), stealing these cookies can give anyone direct access.
So now, thanks to Butler, your neighbor - or your neighbor's kid or some random guy in a coffee shop or parked car - no longer has to have any skill whatsoever to hack into your accounts. All they need to do is load up his free Firesheep addon and make a couple of mouse clicks. And apparently lots of neighbors and random coffee house dudes (and dudettes) are doing just that - in the first day of Firesheep's release it became one of the hottest trending topics in the U.S. and was downloaded nearly 200,000 times.
Butler proposes various workarounds to prevent your showing up in Firesheep, but dismisses the notion that open Wi-fi should be avoided. However, his recommendations all require either more Firefox addons (leaving Internet Explorer, Safari, and Opera users out in the cold) or getting a dedicated VPN. Personally, I think it's far easier (and overall wiser) just to avoid open Wi-fi networks. Otherwise, you're left at the mercy of all of these disparate websites to actually fix the problem on their end. And we know how seriously Facebook has taken security concerns in the past, don't we?
By the way, if you're thinking of trying out the Firesheep addon, keep in mind that it requires administrative rights to your computer and it comes from a virtually unknown (until now) source. Which means Firesheep could do pretty much anything else it wanted on your computer (Mac or PC), which is a lot of privilege to give to an app that already does enough malicious things. Not to mention that the only thing we do know about the developer is that he's not adverse to producing exploit tools to prove a point.