Photo by Avinash Kunnath
If you enjoy browsing Facebook or Twitter at your favorite Starbucks, things aren’t looking optimistic for you.
Two days ago, freelance web application and software developer Eric Butler released a Firefox extension called Firesheep that lets anyone(yes, even your neighbor’s cat), become an amateur hacker with a simple click of a button. Now, with nearly 300,000 downloads to date and growing, Firesheep is proving to be the catalyst we need for safer web browsing.
Technical Matters First…
How does Firesheep work? Firesheep is no different than other similar tools that have been created before to hijack unsuspecting user’s HTTP session. The only difference this time around is that it makes it so much simpler for anyone to use. All you have to do is download and install the extension, and you’re set.
Whenever you log in to any website like Facebook or Twitter, the server on the other end receives your inputted information and attempts to authenticate you. If your credentials verify properly, you are logged in and your browser is given a “cookie” that stores that information during subsequent requests. Cookies are commonly used for authentication purposes, storing site preferences, and shopping cart contents.
According to Butler, “it’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else.” In this case, many social media sites(most notably Facebook and Twitter) leave you vulnerable to hackers who can login with your credentials and promptly make your life miserable.
OMFG!@# WHAT CAN I DO TO PROTECT MYSELF FROM THE EVILS OF FIRESHEEP????
The best way to protect yourself is to avoid visiting Facebook, Twitter, or other unsecure websites whenever you use a public Wi-Fi network that isn’t password protected or encrypted. No, this doesn’t mean that you should stop using public Wi-Fi. As Butler explains, “this isn’t a direct vulnerability in wifi, it’s the lack of security from the sites you’re using.”
Another simple fix is to opt for HTTPS or SSL whenever possible. By doing so, you’ll be able to browse the web with an encrypted connection that cannot be as easily read by the likes of Firesheep or other tools.
How do you know if the site you are on is using HTTPS? Usually, you can look for the “https://” in your browser’s address bar. On Google Chrome, it’s indicated by a green lock followed by the green text “https.” Like so:
Since most people wouldn’t be able to remember to type “https” every time they visit a site, there are tools that you can use to automate the process for you. On Chrome, there is an extension called KB SSL Enforcer which automatically detects whether a site supports SSL and redirects you to it. On Firefox, you can use Force TLS which does basically the same thing.
Why doesn’t Facebook and Twitter default to the secure HTTPS protocol?
Primarily because the HTTP protocol is faster. It takes slightly more time for your connection to the site to be encrypted entirely, thus slowing down the loading of some pages. Secondly, not enough people know enough about this security vulnerability to lash out and raise hell as they did during Facebook’s privacy debacle. Hopefully, Firesheep will ignite that badly needed public outcry to instill real change for users’ privacy.
By now, you’re probably wondering, does Firesheep actually work? Absolutely.
The simplicity of setting it up and getting it to work was chilling to say the least. Yes, I admit. I’m guilty, but the curiosity overtook me and I had to see for myself. Let this be a lesson whenever you feel the urge to tweet using Starbuck’s free Wi-Fi.