Slashdot Mirror
Firefox Extension Makes Social-Network ID Spoofing Trivial
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)
So be careful where you click..
here: http://codebutler.com/firesheep
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
> Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]
> I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]
Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.
https://www.eff.org/https-everywhere
And while you're at it, also install the BetterPrivacy Add-on:
https://addons.mozilla.org/en-US/firefox/addon/6623/
which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.
When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:
http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1
So Facebook probably wouldn't need to do much more than get their software set right.
Nerd rage is the funniest rage.
Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.
That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.
Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Hash = 1-way crypto
The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.
Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently: