There has recently been released a new FireFox add-on to help people gain access to other user’s accounts. It is not the traditional attack that most people think about where they get your username and password. This new add-on for FireFox works against the cookies (little bits of information stored on your computer for a website). Most websites allow you to log in using a secure (https) connection, and give you a cookie to help them know who you are and to help from having you log in multiple times. Firesheep uses this to its advantage since most sites only protect the actual username and password login process then jump back to the normal non-encrypted http way to connect. Firesheep typically works on open or unprotected wireless connections where the “attacker” can see the traffic that is going across the air. It grabs the cookie that you are using and allows a different person to impersonate you to that site. The firesheep add-on currently has a list of about 26 sites with the notable following:
The add-on does have the ability to be expanded and to be upgraded so who knows what is going to come out in the future.
Some possible ways around this are to use a VPN (Virtual Private Network) connection which encrypts all traffic even across an open wireless connection until it gets back to the other end of the VPN connection. There is the HTTPS Everywhere add-on which tries to use the secure version of https first before it switches back over to the non-secure version of http to get to sites. This helps, but it depends on the website itself to support https on all its pages. Some do and some do not. With firesheep being released this will probably become more common and more sites will hopefully switch over to https once logged in. Finally there is the announced add-on called firesheppard which is supposed to release anonymous information and gibberish to crash firesheep enabled browsers. I’ve looked, but have not been able to find a version that is out to test yet.