It is called Firesheep

This is a follow up to my last post – I hope this scares you. At the time I made the previous past available, I was unwilling to reveal the name of the software I was describing for fear of encouraging the very behavior I was warning users about. However, the number of downloads of this software is approaching 750,000 at this moment and attempting to limit awareness seems pointless.

So, the software that concerns me is a Firefox extension named Firesheep. When used in a setting that provides open wifi, this software captures the cookies associated with certain types of social software and allows the individual capturing these cookies to login to the accounts of sites associated with these cookies. A couple of additional comments. First, this access does not apply when cookies involve https – your banking data appear to be safe. However, some services (e.g., Facebook) use https login, but then send cookies in the clear. So, you cannot be assured that because you see https you are safe. It is not possible to capture cookies sent by every online service, but this may change as the software is upgraded. Finally, firesheep is pretty much a common man’s tool providing the capabilities that hackers already have. That is the point of the developer and I guess each of us will decide what we think of the decision to make public a tool providing this capability to pretty much anyone. The motive is really to force change. Open wifi providers can do certain things (go to WPA protection and offer login info to users). The big online services can also go to https throughout.

What can you do? Here are a few ideas I have picked up. I offer no guarantee. Clearly you could simply avoid public wifi.

I would suggest when using public wifi you consider using Firefox with the following extensions:

  • Blacksheep – this is an extension that supposedly reveals if someone in your vacinity is using firesheep
  • HTTPS Everywhere – this extension from the Electronic Frontier Foundation will attempt to force https – provider must have https as a possibility

When I and pretty much anyone else writes about copyright the post usually begins with the statement – I am not a lawyer (even lawyers seem to say this). I am adapting this CYA for this situation to indicate that I am not a hardcore hacker. I can use the tool I describe here to steal cookies, but so can you. I make no pretense of knowing how much I would rely on the suggestions I make. I have tried them using two computers in an open wifi setting and know that they do offer some protection.

Leave a Reply

Your email address will not be published. Required fields are marked *