By: Larry Seltzer
- 10.26.2010
If you didn't already know that plain HTTP sessions are utterly insecure, here's proof: A new Firefox addin named Firesheepcaptures sessions on open Wi-Fi networks and goes one step more sinister. It finds users logged into Facebook, Twitter,Google, Amazon, Dropbox, Evernote, Wordpress, Flickr, bit.ly and more, and lets you take over their sessions and become them.
This isn't revolutionary in any way. Session hijacking in HTTP is oldnews, but it may never have been this easy before. For Windows users it's a bit harder, as they have to install WinPcap, a packet capture library, but it's still not much of a barrier. An OSX version is also available.
What can you do? Don't use open, unencrypted Wi-Fi networks or, if you do, use a VPN on them. At the very least, use HTTPS sessions on open networks. Hat tip to TechCrunch for suggesting Force-TLS, another Firefox extension that forces Firefox to use HTTPS (TLS) connections from certain sites.
Many of these sites offer TLS (HTTPS) connections, but don't default to them. Support can be flaky: Facebook on TLS has no chat available. What's up with that? Some services, like Gmail, have moved to all-TLS all the time.
I don't think there's any particular reason why Firesheep should be limited to Wi-Fi networks. Regular wired Ethernet connections aren't encrypted by default either. I'll research this and report back.
No comments:
Post a Comment