Firesheep raises more issues for websites and SSL rather than password sniffing

News by Dan Raywood

The Firesheep add-on for the Mozilla Firefox browser has been described as 'not the end of the world'.

The Firesheep add-on for the Mozilla Firefox browser has been described as 'not the end of the world'.

Looking at the story from this week, F-Secure's chief research officer Mikko Hypponen told SC Magazine that while it is serious, as wireless hotspot users cannot be sure who is running it, it is not something that VPN users should be concerned about.

He commented that 129,000 downloads was a lot, but suspected that many would not have been downloaded completely or had failed and for those who did download it, it was unlikely to be used very much.

He said: “It does not steal the account details, just hijacks the session but because you are in a session they cannot login again as you. They can do stuff now but they do not know your current password.

“With Amazon they can take over your account and order stuff but cannot change your address as that requires a password. This is a problem that needs to be fixed but it is not the end of the world.”

Hypponen also said that a new approach is to tweet the user who has been intercepted with the following message: 'I was tweeting on the public WiFi and all I got was this lousy tweet'.

However, he agreed that the wider issue of secure websites has been addressed with this story, as the problem is not with WiFi hotspots but that websites are only encrypted on the login.

He said: “The real fix is with SSL all the way and users should enable a VPN. The cost is with the hardware and there is no cost if you already have it for login. Google proved others wrong with Gmail and it is slower, but users will not see the difference.”

Daniel Peck, research scientist at Barracuda Labs, agreed with Hypponen's claims, agreeing that the only way to make these sort of attacks go away for good is for SSL to be ubiquitous.

He said: “While it is certainly more common than just a few years ago, most sites are either still missing the feature or they are implementing it incorrectly.  Most login pages are protected by SSL, but all too often the secure connection is then abandoned by the site and the user is dropped back to an insecure connection that exposes the cookie or session ID that uniquely identifies the user, allowing tools like Firesheep to impersonate the account.

“Keep an eye on the sites you use and make sure everything that is important to you is encrypted. Let the sites you depend on know that SSL support matters to you and possibly look at adding plug-ins to your browser that enforce using HTTPS when possible.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews