The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"
Co-authored by Richard Esguerra
The Firesheep Firefox extension has been scaring users across the Internet since its
introduction at the Toorcon security conference this past weekend by security researchers Eric Butler and Ian Gallagher. Firesheep demonstrates a security flaw that the computer security community has been concerned about for years — that any network eavesdropper can take over another user's session (say, a login to a webmail or social networking account) just by sniffing packets and copying the victim's cookie. In other words, if the websites you visit are not taking steps to encrypt your communications, or you're not taking advantage of the encryption they offer, it's now an obvious and trivial fact that anyone else on that same network can use features from your accounts on Facebook, Twitter, Yelp, Flickr, and a number of other popular web sites. Since Firesheep is extensible, people will probably teach it to "support" more web sites in short order.
This has made some people anxious about using public wifi networks, where this attack could easily be carried out by strangers; but as Danny O'Brien explains, in the long run, the real issue isn't public wifi, but the need for encryption to protect users. Firesheep works because many websites fail to encrypt one of the most important pieces of information they exchange with you: the session identifier that tells them that you are the user behind your browser. When you load a web page whose URL begins with "https://...", your interaction with that page is encrypted. If the site is using HTTPS properly, your communications will be protected from eavesdroppers. When the URL begins with "http://...", there is no such guarantee.
But often, that protection is undermined immediately thereafter. The website drops a cookie in your browser with a code that allows you to say, "Hi, I am logged in to this website as <your name here>." Your browser constantly repeats that cookie value back to the site as you navigate, providing a way for the site to check that you're allowed to do the things on the site that you ask to do. But many sites fail to encrypt these interactions, running them over plain HTTP and allowing an eavesdropper to capture the cookie each time your browser retransmits it, ultimately allowing that eavesdropper to also say to the website "Hi, I am logged in as <your name here>." (Of course, that same eavesdropper can just as easily watch everything else you're doing on such sites.)
Firesheep makes loud and clear something that EFF has said for some time: major websites need to implement HTTPS properly and completely. For the last few months, EFF has been developing HTTPS Everywhere — a Firefox plugin that makes your web browser demand an HTTPS connection if it's available. But note the phrase "if it's available." HTTPS Everywhere only works if a site implements HTTPS; many of the most popular sites still haven't deployed HTTPS properly, if at all. HTTPS Everywhere can, in fact, help protect users against Firesheep, but only for sites that are set up to offer HTTPS protections consistently.
We're communicating with some of the companies whose sites the initial version of Firesheep targets to emphasize this point. We will be sending letters to more site operators soon. There's evidence that computers have gotten fast enough that routine use of encryption on web sites should be practical. Google reported that "[i]n order to [turn on HTTPS for all Gmail users] we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead." Although there's engineering effort involved in making this happen, the idea that sites usually need to buy lots of new servers in order to turn on HTTPS is partly a relic of an earlier era.
More than 50,000 new users have installed HTTPS Everywhere since the Firesheep story broke, showing that users deeply value about their on-line security and will take steps to protect themselves. For websites that care about protecting users' security, the solution is long overdue: now is the time for HTTPS.