Firesheep WiFi Insecurity: Why the Sky Isn’t Falling

I noticed a discussion about Firesheep last night but didn’t read the details until this morning before driving in to the office. If you read an item like this one, you might be under the impression that the sky is falling. It isn’t. Phew, I know.

How To: Avoid Getting Fleeced By Firesheep
http://thenextweb.com/ca/2010/10/27/dont-get-the-wool-pulled-over-your-eyes-avoiding-a-firesheep-fleecing/

Firesheep is a Firefox browser plugin that lets you hijack other people’s accounts/sessions on services like Twitter and Facebook. This is mostly a problem when on open WiFi networks. (no WPA/WPA2 security). But, really, it can happen on any network where someone decides to run Firesheep and hijack sessions. So, what does it really do and what can be done about it? So, I turned to the writings of a security expert whose opinion I trust to get another perspective, Bruce Schneier.

Firesheep

Firesheep

His advice is relatively simple: Protect yourself by forcing the authentication to happen over TLS. Or stop logging in to Facebook from public networks. Schneier points to a relatively simple fix for Firefox browser users described on TechCrunch.

How To Protect Your Login Information From Firesheep
http://techcrunch.com/2010/10/25/firesheep/

A simple way that doesn’t even require installing a plug-in is to manually type https:// (SSL) instead of http:// (no “s”) when accessing Twitter & Facebook. I just tried it with both services and verified that they have it working with valid certificates.

https://twitter.com
https://facebook.com