Firesheep wake-up call
Much has been written this past week about Firesheep. The bottom line: website operators must properly deploy SSL end-to-end security.
Firesheep is a Firefox extension written by Eric Butler and was presented by Butler and security consultant, Ian Gallagher, this past weekend at ToorCon hacker conference in San Diego. Firesheep takes advantage of a known security vulnerability related to non-secure session cookies. When connected to a public Wi-Fi, the program captures non-secure session cookies of other users of the Wi-Fi hotspot. When an unsuspecting user logs into an insecure website known by Firesheep, their name and photo are displayed. The Firesheep user can then click on the other user and they are instantly logged in as them.
Impacted websites include Amazon, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, and Yelp. A plugin system allows a Firesheep user to add their own sites.
There are many suggested solutions to fight Firesheep. These solutions include:
- don’t use public Wi-Fi
- only use secure Wi-Fi
- use a VPN service
- force SSL by using a plug-in such as HTTPS-Everywhere or ForceTLS.
- use an anonymizer such as Tor
These are partial or in some cases impractical solutions that may or may not work. Worst of all, they require the security challenged end-user to perform an action or make a trust decision.
The point of Firesheep is to put all web-site operators on notice that they need to wake-up and properly secure their web-sites with full end-to-end encryption using SSL. This practice includes the use of secure cookies.
For other best practices on SSL deployment, see SSL Deployment Mistakes.