A FireFox add-on to be worried about – Firesheep

IT

A FireFox add-on to be worried about – Firesheep

//

There has recently been released a new FireFox add-on to help people gain access to other user’s accounts.  It is not the traditional attack that most people think about where they get your username and password.  This new add-on for FireFox works against the cookies (little bits of information stored on your computer for a website).  Most websites allow you to log in using a secure (https) connection, and give you a cookie to help them know who you are and to help from having you log in multiple times.  Firesheep uses this to its advantage since most sites only protect the actual username and password login process then jump back to the normal non-encrypted http way to connect.  Firesheep typically works on open or unprotected wireless connections where the “attacker” can see the traffic that is going across the air.  It grabs the cookie that you are using and allows a different person to impersonate you to that site.   The firesheep add-on currently has a list of about 26 sites with the notable following:

Amazon.com

Basecamp

Facebok

Flickr

Foursquare

Google

Windows Live

Twitter

WordPress

Yahoo

The add-on does have the ability to be expanded and to be upgraded so who knows what is going to come out in the future.

 

Some possible ways around this are to use a VPN (Virtual Private Network) connection which encrypts all traffic even across an open wireless connection until it gets back to the other end of the VPN connection.  There is the HTTPS Everywhere add-on which tries to use the secure version of https first before it switches back over to the non-secure version of http to get to sites.  This helps, but it depends on the website itself to support https on all its pages.  Some do and some do not.  With firesheep being released this will probably become more common and more sites will hopefully switch over to https once logged in.  Finally there is the announced add-on called firesheppard which is supposed to release anonymous information and gibberish to crash firesheep enabled browsers.  I’ve looked, but have not been able to find a version that is out to test yet.

Safe surfing.

 

Additional materials:

Firesheep

HTTPS Everywhere

Macimumpc article

More About the Author

Richard Clapp

Systems Engineer
Cleaning Up WinSXS Folder on Windows Server 2008 R2 I finally found some good information for cleaning up the WinSXS folder on new instances of Windows. I found the following site ...
Getting Access to Multiple Branches while Using a Split VPN Tunnel for Performance I recently had to help a client who was having performance issues over the VPN. They had a fast connection at home, but just a standard ...

See more from this author →

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072

×

Love our blog? You should see our emails. Sign up for our newsletter!