If you didn’t already know that plain HTTP sessions are utterly insecure, here’s proof: A new Firefox addin named Firesheep captures sessions on open Wi-Fi networks and goes one step more sinister. It finds users logged into Facebook, Twitter, Google, Amazon, Dropbox, Evernote, WordPress, Flickr, bit.ly and more, and lets you take over their sessions and become them.
This isn’t revolutionary in any way. Session hijacking in HTTP is old news, but it may never have been this easy before. For Windows users it’s a bit harder, as they have to install WinPcap, a packet capture library, but it’s still not much of a barrier. An OSX version is also available.
What can you do? Don’t use open, unencrypted Wi-Fi networks or, if you do, use a VPN on them. At the very least, use HTTPS sessions on open networks. Hat tip to TechCrunch for suggesting Force-TLS, another Firefox extension that forces Firefox to use HTTPS (TLS) connections from certain sites.
Many of these sites offer TLS (HTTPS) connections, but don’t default to them. Support can be flaky: Facebook on TLS has no chat available. What’s up with that? Some services, like Gmail, have moved to all-TLS all the time.