New add-on program Firesheep

Posted by Zotta Rendevouz

A developer out there has released a Firefox extension that will strike fear into folks who often frequent places with public Wi-Fi. The Firesheep extension is capable of sniffing out and stealing cookies of popular sites such as Facebook and Twitter by latching onto the browsing sessions of other users on the same Wi-Fi hotspot. It's a proof-of-concept extension, but it's up for download, supporting popular sites such as Facebook, Flickr, Amazon, Dropbox, Evernote and many more. When using it, you can easily intercept a session on a public hotspot and start browsing the site as if you're that person. This extension was released to force popular sites to send data via the more secure HTTPS protocol, which encrypts its data as its sent, though it comes at the expense of speed. In case you're thinking of giving this extension a test drive at the nearest Starbucks, you'll need to make sure that you're using a wireless card that's capable of running in promiscuous mode.

To work, a user of Firesheep must have the program running on an ordinary computer on a shared wireless network where it can grab cookies after other users on the network log into popular Web sites, according to a post by Eric Butler, the developer of the program. Butler in his post suggests Firesheep works on “open” wireless networks, but doesn’t specify whether that includes networks where many strangers share a common password to access it, as in a cafĂ© or convention center.

Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.

On his Web site, Butler said the “only effective fix” for the problem is for Web sites to fully encrypt all of their communications with consumers, not just a portion of them. Some Web sites already seem to be trying to address the problem.

A spokesman for Google said the company recently began fully encrypting communications with users of its Gmail service and other Google services by default, though it’s still possible users can turn encryption off (on slow Internet connections, encryption can affect the performance of a Web site for a user).

A spokesman for Facebook, meanwhile, says the social network has been “making progress” testing encryption across its Web site and hopes to provide it as an option for Facebook users in the coming months.