Making big waves in the online security world this week is the release of a Firefox plugin called Firesheep that lets you hijack a fellow wifi user’s authenticated session. Released at Toorcon this weekend, Firesheep takes advantage of the insecure method by which popular sites like Facebook establish a user as logged in.
Most sites utilize SSL for their actual login pages so the packets of data between your computer and the server are encrypted. This encryption makes them mostly useless to anyone who happens to be monitoring the air for them. After you’re logged in some sites will send you a cookie to establish a “session.” This cookie is often not encrypted and anyone able to pull it out of a wireless network could present themselves to the website as you. Firesheep takes advantage of this vulnerability. The creators of the plugin released it to the public in order to spread awareness of this well-known problem.
Techcrunch has a great article on how to protect your cookies, but other things to be mindful of are where you’re accessing private information. The attacker needs to be on the same wireless network as you, so changing your wifi password to a combination of letters and special characters is always a good idea. Also make sure that your wireless router is using WPA (wifi protected access) or WPA2 as a security protocol over WEP (wired equivalent privacy). WEP is much less secure.
New Firefox Add-On Detects Firesheep, Protects You on Open Networks http://on.mash.to/97sDV0