Connecting to an unsecured public Wi-Fi network is always taking a chance, but now it has become even more frightfully insecure. A new Firefox addon called Firesheep makes it simple for anybody to gain access to your online accounts if you are connected through an unsecured wireless network.
Firesheep is designed to hijack login sessions belonging to 26 online services including the popular ones like Facebook, Foursquare, Google, Twitter, Amazon, and Yahoo. Basically it is a packet sniffing tool that can grab login information of any of the supported services of anybody connected to a wireless network.
This is not a new thing, but Firesheep makes it possible for anybody to become a hacker. During the first 24 hours of release, Firesheep is reported to have been downloaded over 100,000 times.
The extension has been scaring users across the Internet for the last couple of days. It has made some people anxious about using public Wi-Fi networks, where this attack could easily be carried out by anyone. But the real issue here isn't public Wi-Fi, but the need for encryption to protect users.
Eric Butler, the author of Firesheep wrote:
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
The immediate solution is to force your browser to connect using HTTPS wherever possible. Several browser extensions exist that does this. HTTPS Everywhere and Force-TLS for Firefox and KB SSL Enforcer for Chrome, to name a few.
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
I've done a bit of research into this whole topic, it's isn't as easy as many people want to make you think it is to use firesheep. For instance, 1. you need to be able to use winpcap, winpcap is annoying and very temperamental program to add to windows. 2. you need to have drivers patched for 'monitor mode' in windows. To even get these drivers you need to make your own dll files, which isn't easy. and to make things even more fun, which would make this easier to use, linux isn't supported, now if linux was supported then this would be much easier to launch an attack.
ReplyDeleteon the whole, a lot of nattering over something that will need a programmer to get to work, but if a programmer wanted to do something like this then they already have...
Too much hype over nothing special