If the news of Firesheep–a simple Firefox extension that allows anyone to hijack social networking or webmail sessions over unprotected WiFi networks–has you worried, a free tool to protect you from Firesheep and its ilk released today by the Electronic Frontier Foundation is for you.
Many websites use HTTPS to secure their communications with their visitors. The protocol encrypts both requests from a browser to a website and the pages displayed from the site. “Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking,” the organization explained in a statement.
The problem is that HTTPS isn’t implemented consistently. A site may default to insecure HTTP, or mix HTTPS and HTTP references on the same page. EFF’s tool, HTTPS Everywhere, uses carefully crafted rules to switch sites from HTTP to HTTPS.
Today’s release of HTTPS Everywhere, which can be downloaded from the EFF’s website, contains enhancements specifically designed to foil Firesheep-inspired attacks.
“It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks,” asserted EFF Senior Staff Technologist Peter Eckersley. “And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal.”
The reason Firesheep is so effective is because many websites fail to use HTTPS, according to EFF Technology Director Chris Palmer. “Our hope is to make it easier for web applications to do the right thing by their users and keep us all safer from identity theft, security threats, viruses, and other bad things that can happen through insecure HTTP,” he said. “Taking a little bit of care to protect your users is a reasonable thing for web application providers to do and is a good thing for users to demand.”
Firesheep appeared at the end of last month. It was created by a Seattle-based software developer who said he created the Firefox extension to demonstrate the security risks associated with session hijacking. Twenty-six online services are targeted by the software, including Amazon, Facebook, Google, Twitter, Windows Live and Yahoo.
The mischievous software can “sniff” traffic on unprotected WiFi networks for communication between computers on the network and targeted sites. When it discovers such communication, it attempts to steal information stored in “cookies” on a computer. That information can include a user’s name and session ID. With that information, it’s possible to gain unauthorized access to an account and perform tasks such as sending email. Since passwords usually aren’t included in cookies, it’s unlikely that Firesheep could be used for more nefarious purposes such as performing credit card transactions.