Firesheep causes a stir
A few weeks ago, one Eric Butler, a freelance web developer and security researcher from Seattle, released a Firefox extension called Firesheep. Firesheep allows the user to hijack HTTP sessions transmitted over unsecured wireless networks. In other words, someone can walk into a coffeeshop, open their laptop, and via nothing more than a public wifi connection, find other patrons and log in to their accounts on sites like Facebook without a username or password. Firesheep is ridiculously simple to use; with three or four clicks the user can log in as anyone else using that wifi connection—all without the victim ever suspecting a thing.
Butler released Firesheep to bring attention to a very common, basic security flaw that's baked-in to many popular websites and services. In his words:
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.
The release of Firesheep—which was downloaded over 100,000 times within 24 hours of its release*—preoccupied the tech press for days. A big draw was its focus on popular sites like Facebook, Twitter, Foursquare, Flickr, Tumblr, and Yelp, all of which broadcast sensitive personal information despite their built-in "privacy controls". Hand-wringing over the ethics of releasing such a tool ensued; others wondered aloud whether it was even legal to do so.
But some were happy to see Firesheep get out in the wild. The program, as they pointed out, merely utilized an already widely-exploited security issue. Formerly, you had to be a hacker or a nerd to hijack HTTP sessions, or at least willing to spend five minutes with Google to find tools to help you. Firesheep made it simple enough for nearly anyone to try it; the press it received no doubt buoyed its popularity. Butler's goal, of course, was to force this security issue into the mainstream. "The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."
When will Firesheep no longer work at all? To summarize what Butler and others have been saying, that day will come when websites properly and widely adopt the HTTPS protocol. HTTPS adds a layer of encryption to your communications, protecting them from eavesdroppers and thieves—even on public wifi connections. Because of the extra computing involved, HTTPS is more intensive than HTTP; thus far, it has been confined largely to online banking, credit card transactions, and occasional sites like Gmail. But in terms of cost and engineering, computing is at the point now where HTTPS can be broadly implemented at a reasonable effort.**
If we were asked to pick sides on this, we'd side with Butler.
Populi has always used industry-standard 128-bit SSL encryption for every last communication between your computer and our servers. If you're using Populi over coffeeshop wifi, HTTP-hijackers won't be able to get anywhere near your session, no matter what tools they're using. But we'll never simply rest on this encryption method. Perfect security, as we've repeated before, is a moving target. With all the interest hackers have in the juicy hunks of personal data colleges keep track of, they're gonna keep trying. Consequently, we would say that our top security features are more cultural than technological. Quite simply, we're dedicated to the safety of your data, your right to access it, and your right to keep other people out of it. In other words, we're dedicated to staying on our feet.
*It's well on its way to 800,000 as of this writing.
**If you're looking to guard yourself against HTTP-hijacking, tools like HTTPS Everywhere can help (as long as you're visiting sites that have the protocol as an option).