So there’s this thing called Firesheep. It’s a Firefox add-on (not yet available for Linux) that makes it easy to steal someone’s connection to basically any website (like Facebook, Twitter, or Amazon) – if:
- You’re on the same network as that person (think free coffee shop Wi-Fi, college networks, etc.), and
- The connection to the website is unencrypted – that is, it’s not using HTTPS.
Let’s be clear: it’s always been possible to do this. In fact it’s never been that hard. All this tool actually does is make it easy. Really, really easy: I installed it yesterday while in a coffee shop here in Raleigh and within 5 minutes had access to a dozen different Facebook accounts, a couple of Yahoo accounts, and at one Amazon account. (Imagine what I could have bought myself with that Amazon account if the owner had 1-Click ordering turned on!)
The reason this is possible comes down to money: Most web companies aren’t spending the time and money necessary to properly support encrypted connections, and they’re leaving us – their users – vulnerable. Every web service already uses HTTPS for encrypted connections – they use them when you log in, in order to protect your password. Once you’ve logged in, though, they switch you back to the unencrypted connection, and your session becomes vulnerable.
For example, you can log into Facebook securely. Go ahead and try https://www.facebook.com/ and you’ll see the nice lock icon that indicates that yes, your connection is encrypted and secure. But you’ll notice that clicking any link on the page will bring you to regular unencrypted Facebook – and make you vulnerable to hijacking.
Twitter’s almost worse: while https://twitter.com/ works, and all the links will keep you on the secure site, the automatic refreshing code uses an insecure connection. So you don’t even need to click any links to make your session vulnerable.
Amazon is possibly the most blatant: if you go to https://www.amazon.com/ you will be automatically redirected to the insecure http://www.amazon.com/. Oddly, though, https://www.amazon.ca/ works just fine. Score one for Canada, I guess!
Google does a better job than most. They changed GMail to use HTTPS by default a while ago, and you can go to https://www.google.com/ and conduct all your searching over encrypted links. Because of this, I wasn’t able to steal any GMail sessions (even though they did show up in Firesheep).
A lot of the press reaction has completely missed the point. Computerworld published an article with the headline: “Mozilla: No ‘kill switch’ for Firesheep add-on“. What? There’s no point in trying to block the add-on itself. It’s still just as possible to hijack people’s web sessions as it’s always been. They also mention that “Using Firesheep may be a criminal offense under U.S. law”, a useless non-revelation echoed by AOL’s Download Squad. Yes, it might be illegal, but this won’t stop anyone from using it any more than jaywalking laws prevent people from walking across streets. ZDNet claims: “Firesheep’s Real Lesson: Take Wi-Fi Security Seriously“, which is utter nonsense. It doesn’t matter whether you used a password to access the coffeeshop’s Wi-Fi or not, as long as Facebook, Amazon, et. al. are failing to keep your data safe anyone on your network can steal your session.
Here’s the point, in the words of Firesheep’s author: “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.”
Or in other words: Facebook is screwing your privacy, yet again. And they’re not the only ones. So start writing to them. Tell them they need to start moving to HTTPS everywhere.
In the meantime, if you’re going to use any public networks – coffee shop Wi-Fi, computer labs, dorms, whatever – either stay off of Facebook and Twitter and friends (it’ll help you focus, anyway) or set up a VPN on your home network and connect through that.