Have you ever wondered what it might be like to be a hacker? With the new Firefox extension called Firesheep, you may only be a click away from realizing that dream.
Firesheep is an extension for Firefox. It was created with the intention of highlighting just how vulnerable you are when you are using an open wifi network (like in a coffee shop, or if you are using your neighbor's wifi without them knowing). Firesheep is an exercise in HTTP session hijacking. Basically, it analyzes all unencrypted traffic on an open wifi network, to and from all computers on the network. The extension waits for someone on the network to login to one of 26 sites listed in the Firesheep database (including Facebook, Twitter, Amazon, Google and many more popular sites). When someone logs in to one of these sites, Firesheep is able to capture the cookie that is used and extract personally identifying information like your username and session ID with that site. Passwords are almost never stored in cookies, so your password is probably still safe, but using the session ID, firesheep is able to access the account that was just logged into. So this means if you and your friend (or a stranger) are logged into the same unprotected network, and they login to Facebook, you can use Firesheep to gain unrestricted and full access to their account, with just one click!
So if you can use Firesheep to do this to unsuspecting people around you, that means they can do it to you too! The worst part is you may never know it happened until it is too late. So what do you do to protect yourself?
Here a few things you can do to be pro-active about your security (courtesy of this article at PCWorld.com)
- Use a VPN - try using HotSpot Shield when using an open wireless network. This software encrypts all information transmitted between your computer and the router.
- If you use Firefox, use an extension called HTTPS everywhere (works on Mac and Windows, but not Linux). This forces certain websites to use a secure SSL connection everywhere rather than just during login. This only works on a limited number of sites that support full SSL browsing.
- If your home wireless network does not require a password, you should set one up right now (seriously, do it now, I'll wait)! If your router supports WPA2, use that instead of WEP, which is more widely used, but less secure.
- Never use an open wifi network for sensitive online activites such as banking.
You can also use an extension in Firefox called Blacksheep that will detect and block others using Firesheep.
Firesheep sounds really scary, but remember a few things. First, your passwords are probably safe and any information that requires a password are protected because Firesheep doesn't have access. Second, Firesheep is meant to highlight a major security flaw that many important websites continue to ignore. Session hijacking is not new, in fact its one of the oldest tricks in the book. The fact that it works here should embarrass the likes of Google and Facebook. To quote the developer of Firesheep, Eric Butler, "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win."
I hope so too.