Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS Everywhere Gets Firesheep Protection

Posted by timothy on from the mitigating-malicious-mutton dept.

coondoggie writes "The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that offers protection against 'Firesheep' and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors' log-in credentials."

4 of 77 comments (clear)

  1. Re:Duh? by The+MAZZTer · · Score: 4, Informative

    Firesheep never used login credentials. It never needed to. Session cookies were enough to impersonate another user... so any visit to any HTTP page on any site allowed a Firesheep user to impersonate you on that site in theory (of course if you're logged out this is of limited use, but if you're logged in they can impersonate you without login details).

  2. Re:Duh? by blueg3 · · Score: 4, Informative

    Many of the sites that Firesheep attacks use HTTPS for their login, so you don't send your credentials in the clear, but fall back to HTTP for delivery of content. The point Firesheep attempts to make is that this is not sufficient -- your unencrypted HTTP requests contain the session cookie that your encrypted login obtained. The session cookie is just as useful, as long as you make use of it "soon".

  3. Re:Probably breaks lots of web sites by oodaloop · · Score: 4, Informative

    Um, no. That would be pretty dumb. IF the site has an https page, it directs to that. If not, it doesn't.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  4. Re:Do Not Use Unsecured Wireless by bunratty · · Score: 4, Informative

    It's not as simple as that. The traffic is encrypted only during one part of the way from your computer to the server, so cookies can be sniffed anywhere from the wireless router to the server. But it is as simple as using HTTPS. Then all traffic is encrypted all the way from your computer to the server, and you also have the stronger guarantee that your computer is talking to the server you think it is, so you cookies cannot be sniffed by third parties. StartSSL offers free SSL certificates to allow any site to encrypt all of its traffic.

    --
    What a fool believes, he sees, no wise man has the power to reason away.