Yesterday, we reported on Firesheep, the Firefox extension that allows anyone to log into anyone else’s social media accounts so long as both parties are connected to an unsecured wireless network. Understandably, the existence of such a thing freaked a lot of people out: There’s fortunately a way of protecting your accounts against Firesheep, but the number of people who do so is likely to be slim compared with the number of people who routinely access unsecured networks.
The number of people who downloaded Firesheep was not slim, however. Eric Butler, the software developer who created the controversial extension to draw attention to the alarmingly widespread vulnerability to HTTP session highjacking to which many major websites subject their users, has reflected on the first day of Firesheep’s life, and he reveals that more than 129,000 people have downloaded it. As one Redditor quipped, “Seems like every wannabe hacker and his brother downloaded that thing.”
The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.
An across-the-board improvement in website security will take time, but people are beginning to see the risks of using insecure websites right now.
One useful safeguard: The EFF’s HTTPS Everywhere, which makes Firefox use only HTTPS connections, which aren’t vulnerable to sidejacking. It’s not perfect — Butler notes that “It does not appear to be immediately simple for users to add sites without some development experience,” and it doesn’t support all websites (though this is the fault of the sites and not the extension) — Â but it’s a start. The finish won’t come until major websites safeguard their users rather than leaving all but the most tech-savvy at risk.
(Eric Butler via Reddit)
Published: Oct 26, 2010 02:03 pm