Firesheep works by monitoring all traffic between the wireless device and port 80 on the web site you are accessing. It captures the userID and session ID of the web connection and then spoofs it allowing the user to access the site as the other person. Whilst this access is only for the length of the session it would still allow the user to post comments, and or send tweets and emails. More seriously if the change password function is not designed securely the user could change the password and hijack the account entirely.
One way around this is to ensure you only ever access websites via HTTPS (port 443) which will prevent Firesheep from being able to read the traffic. But many website do not support HTTPS, even less as a default. Facebook for example allows access to the login and home pages via HTTPS, but this is not the default access – you physically have to ensure you type it in to your browser window. Even then when you navigate to other pages e.g. the profile page, it reverts to HTTP. Mobile web applications e.g. the iPhone Facebook app, are of equal concern since most use unencrypted web services making them equally vulnerable.
The good news is that at present Firesheep only contains the keys to unlock about 26 of the most popular web sites and web mails services. But this is only round one, and more applications like Firesheep will soon be released with even greater access levels. So until the website providers respond forcing all access via SSL or something similar my advice is to stay off public wi-fi networks if possible, and where you have no choice ensure you always access via a secure connection such as HTTPS.
No comments:
Post a Comment