Firefox Extension Makes Social-Network ID Spoofing Trivial

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

Illegal?

I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

So be careful where you click..

A better explaination

[buchner.johannes]

here: http://codebutler.com/firesheep

They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

Re:Why no encryption?

[maxume]

When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:

http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1

So Facebook probably wouldn't need to do much more than get their software set right.