Tuesday, October 26, 2010

Firesheep: who is eating my cookies?

We talked a bit about FireSheep yesterday in class. PandaLabs provides a good write-up on it here ...

PandLabs also points out a handy tool to protect yourselves from these attacks. They write,
Don’t panic. Yes, this is bad, but there are some countermeasures to take. The best solution would be to use SSL encryption in all communications, but this has to be supported in the server side, so that won’t be happening (at least massively) anytime soon. Meanwhile, you should use HTTPS Everywhere, which will force to use https when connecting to some mayor websites, such as Twitter or Facebook:

You can get HTTPS-EVERYWHERE from the EFF. They are a very, very reputable organization and I strongly recommend that you install this plug-in.

NOTE: This plug-in may still be vulnerable to Moxie Marlinspike's SSL-Strip attack but I have yet to verify that.

Special thanks to your classmate Sean for pointing out HTTPS-Everywhere. Good work Sean!

1 comment:

Lionel said...

We talked about this a long time ago but I'm still very conflicted about it. On one hand, I understand the idea behind exposing the faults in a website's security. Ideally, it would put a lot of pressure on these sites and they would fix the issue. But as we can see now, it's been quite some time since Firesheep was released and nothing has been fixed. So far the only thing I've seen is that now a lot of people with barely any experience with computers are capable of doing a lot of damage. Sure, it's funny when this is used to play with someone's Facebook page. But the fact that knowing how to download a plug-in is now all you need to hack someone's Amazon account is scary. I've taken the suggested steps to secure my browser, but a lot of people don't know that they should and won't until it's too late. So in a lot of ways, this still seems irresponsible on his part.