Fighting Firesheep: New Tactics
Even knowing that there are more than 800,000 downloads of Firesheep, the Firefox add-on that lets anyone monitor and hijack browser sessions over unencrypted Wi-Fi, it can be hard to resist just one quick Facebook or Twitter check-in on the airport, coffee shop or conference wireless network. (And I say that having seen Firesheep in action at Logan Airport and seizing control of my colleague's Facebook account.)
That's probably not a problem for those using a VPN, but what if you're not? Help has arrived from the latest version of the HTTPS Everywhere Firefox add-on -- sort of.
The Electronic Frontier Foundation developed HTTPS Everywhere before Firesheep came on the scene, but it's revamped it to offer more robust protection against Firesheep snooping.
HTTPS Everywhere alters browsing so that your default connection is no longer unencrypted http but the more secure, encrypted https whenever a site offers that capability. So, if you use Twitter without HTTPS Everywhere (or similar protection), the connection is unencrypted; with the extension, you're switched over to https.
What's changed, says EFF Technology Director Chris Palmer, is that the initial version was designed "to be as gentle as possible;" if certain site functionality didn't support encryption at all, activity was allowed to continue using unencrypted http. With this new version, if a site doesn't support encryption for some activities, your log-in cookie will be blocked and that site functionality will no longer work. This will cause problems when trying to use Facebook apps and chat, for example, Palmer said. The extension also labels its Amazon connection as "buggy."
The ideal solution, Palmer notes, is for all sites that require login to support https encryption for all activity and not just initial login. And that is also the goal of Firesheep creator Eric Butler, who says he released his tool in order "to demonstrate just how serious this problem is" of popular Web sites failing to offer en-to-end encryption.
Meanwhile, if you don't want to become a victim of Butler's demonstration project but still want to surf the Web on public Wi-Fi without a VPN, EFF's HTTPS Everywhere offers protection for a couple of dozen sites (screen shot below) although not full Web site functionality for them all.