Firefox Extension Makes Social-Network ID Spoofing Trivial 185
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
Why no encryption? (Score:4, Interesting)
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?
Promiscuous mode on any adapter? (Score:5, Interesting)
I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.
unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.
How does it work? (Score:3, Interesting)
Am I the only one who finds it amusing... (Score:3, Interesting)
... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?
For the rest of us with some common sense this is just hilarious.
Re:and this is news ? (Score:1, Interesting)
Post your user/pass if it doesn't matter. Put your action where your mouth/fingers is/are.
But will it... (Score:2, Interesting)
Re:No HTTPS encryption (Score:3, Interesting)
Do they have any guarantee that all of their users have a browser that supports HTTPS?
To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.
Re:WPA2 will work better against this hack (Score:2, Interesting)
Re:https everywhere (Score:5, Interesting)
But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.
The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.
KB SSL Enforcer (Score:3, Interesting)
This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof [google.com]
Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.
Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.
eBay Gaming (Score:1, Interesting)
Re:How does it work? (Score:3, Interesting)