Firefox Extension Makes Social-Network ID Spoofing Trivial

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

Promiscuous mode on any adapter?

[SpinningCone]

I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

Re:https everywhere

[anti-pop-frustration]

https everywhere is indeed a great extension, and everybody should be using it.

But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.