A few weeks ago Eric Butler, a software developer based in Washington, released a free open source Firefox extension that allows the user to hijack other users’ sessions that are on the same wireless network. When you sit down at a public place and use Facebook or any other social network over a public hotspot, the site sends a cookie (a file with information that identifies you as you) and stores it to your computer. Another person on the same wireless network could use the extension, called Firesheep, and hijack your session pretending to be you on Facebook or whichever other sites you are logged on to. This is a widely known problem that has been talked about over and over again, but websites continue to fail at protecting their users. Many sites use HTTPS to log users in but then return the user to unsecure connections to serve the rest of the their pages. An easy fix for this problem is to encrypt the network using WEP/WPA, but the extension’s developer is trying to make us aware of how vulnerable sites not using HTTPS are. He writes “they’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.” At the end we can expect sites to start using HTTPS over HTTP, instead of users having to change the wireless encryption or manually adding extensions that are supposed to force HTTPS , but that are not always reliable. An interesting fact is that HTTPS does not produce an overhead on the sites’ servers, which is the reason many companies decide not to offer HTTPS. HTTPS requires an initial handshake which can be somewhat slow, but the actual amount of data transferred as part of the handshake is about only 5kB. This can be a burden for small requests, but with the high speed internet that we have access to it doesn’t mean much. Look at gmail, it’s been using HTTPS since January (before it was an option) and the access speed is not slow at all. Hopefully the message sent by Eric Butler will catch on and companies will start protecting their users’ data using HTTPS. It is time that we the users who control the internet demand security on the services we depend on.
