Sorry. I just had to do that. Firesheep is taking the ‘net by storm, it seems. Surely, you’ve heard about it by now; it has been around for nearly a week and has been downloaded more than 600,000 times. In case you haven’t hear about it, here’s the scoop from Bruce Schneier:
Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.
In other words, if I sniff your cookies, I can hijack your session and be you. I can do anything that you could do, see anything that you could see. So, if you’re using public (unencrypted, open) WiFi you’re in trouble. Personally, I think this is a good thing: It may force the public hotspots to tighten security. After all, it’s not rocket science; you just implement WPA2 on your wireless router and give everyone the password. Steve Gibson explains:
Now that this concept is out, we’re going to see it go like crazy. And so…the remediation for the wireless access providers [is] simply bring up encryption… Again, it doesn’t have to be a secret password, just Starbucks can make it “Starbucks.” And that solves the problem. However, the providers of these services, the Facebook, the Twitter, the MySpace and so forth, they can’t rely on that. They have to simply enforce SSL, just like Google did.
Yes, there’s no reason not to just enforce SSL. On every website. Everywhere, all the time. It’s simple to do. End-to-end encryption and who the heck cares who’s sniffing? It’s all random noise to anyone looking at the data stream.
Complexity is the enemy of security; simplicity is the ultimate weapon. The solution to this problem is a simple one. We can only hope that the release of Firesheep is the wake up call we need.