Firefox Extension Makes Social-Network ID Spoofing Trivial

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

Re:and this is news ?

the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

Re:and this is news ?

[Ephemeriis]

someone in the same network sniffing your unencrypted traffic is facebooks fault ?
or the fact that someone made a UI to do it for dummies ?

The fact that it is unencrypted is, yes.

Another point is not "missing the point"

[Chriscypher]

squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

Another point does not "miss the point".

Transport security != corporate marketing of private data

Cookie theft

[Securityemo]

It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

Re:Use md5 (or something) over the wire

[gmurray]

furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)