Firesheep Firefox Addon and How To Protect Against It
Firesheep is creating waves throughout the Internet, as it is providing many a way to use a cookie ‘hole’ and access your login info to the many Social Networking sites we use today, such as Facebook. If this worries you, then perhaps you are interested in finding out how to protect yourself.
What is Firesheep
Firesheep is a Firefox Addon created by Eric Butler that provides an easy way for non-hackers to access other’s login info when visiting Social Networking sites. When we visit such sites, we need to provide our Login info and password, which in turns shows our credentials are correct and provides a “cookie” in order to maintain our session open. Eric explains how such “cookies” may be ‘sidejacked’ and used to access your accounts. If you are on a secured network, then you somewhat protect yourself, but if you are using an unsecured Wifi network, then those “cookies are basically shouted through the air, making these attacks extremely easy”.
With Firesheep, a user can install a Firefox Addon which now will present the users who are using the unsecured Wifi network and are visiting an unsecured site recognized by Firesheep. This in turn will show you the user, his/her name and image, and by a simple click…allow you to log in as them!
Sounds Scary? You bet.
Eric states that all the sites that have been delaying or avoiding such security issues have a responsibility to all their users, and since nothing is done, he created Firesheep, as to show the tremendous vulnerability. It seems that Firesheep was created to scare us users enough, so we demand increased security.
How to Protect against Firesheep Accessing your Login information?
TechCrunch has just today provided instructions provided by Steve Manuel on how to install and configure Force-TLS, a different Firefox Addon which helps with this situation. Basically, such an add on forces sites who are still using HTTP and not HTTPS to do so, thus encrypting their credentials and session; making the cookies ‘invisible’.
There is also an alternative version called HTTPS Everywhere to help with this matter, and if you are a Chrome user, it was mentioned that KB SSL Enforcer will assist as well. And just updated was the Force TLS for Chrome.
Of course, this is not as simple as just installing the actual Addons, for you need to configure the sites you are using for it to work and make sure it is actually working, but it is better to be extra cautious.
What are your views on the situation? Should Eric be blessed or Cursed for his evangelistic ways? Also, if you have other ideas on creating extra protection and making sure our daily surfing is secured, please let us know in the comments.
Thanks Itamar for the info!