A scary new Firefox extension known as Firesheep came onto the scene recently. For years it has been possible for nefarious users to “sniff” unencrypted network packets for session cookies, allowing them to, with a bit of work, hijack your session with a website. This would enable them full access to, say, your email or Facebook account until you log out and destroy the session. This is probably the biggest security risk on a public WiFi hotspot, though until now it was fairly unlikely that you would happen to be on the same network as a nefarious user with the technical chops to pull it off. Until now.
Firesheep is a proof of concept that attempts to demonstrate just how big of a problem popular websites’ lack of HTTPS support is…by making “sidejacking” point-and-click simple. Anyone can install the extension, press a button to automatically scan for active sessions of popular websites being transmitted over the network, and then click on an entry to log in to the user’s account on the website.
What started out as a fairly innocent project demonstrate to websites like Facebook that they should be implementing SSL encryption has become a major security risk. Firesheep has sort of…went viral. A frightening number of people have downloaded the extension.
While developer Eric Butler’s intentions may have been honorable, his extension has had one very negative effect: it has made sidejacking much, much more prevalent. A year ago, I could be fairly sure that nobody on the local McDonalds’ WiFi hotspot would be trying to hijack my Twitter session. After all, I live in a fairly rural state with a low density of exceptionally computer-literate people. Now, some kid could be playing around with Firesheep.
This reminds me of the “grey hat” security researchers. They usually don’t have malicious intentions, but their methods can sometimes cause more harm than good. That seems to be Firesheep in a nutshell. Butler’s follow-up blog posts even read like those of a grey hat hacker.
I think Firesheep is the worst kind of way to promote security. It has done far more harm than good. Sidejacking was a fringe thing that you didn’t really have to worry about, except for higher-risk things like banking or checking your email. Now anyone can install a GUI tool and do it without even knowing how it works. This is going beyond enabling script kiddies. It puts cracker tools in the hands of the masses, therefore making sidejacking an actual risk.