Friday, October 29, 2010

Firesheep (from Firefox) refines our understanding of "HTTPS Everywhere" and what sites should do

Electronic Frontier Foundation has an important piece by Seth Schoen, “The Message of Firesheep: Implement Sitewide HTTPS Now”, link here, dated Oct. 29.

According to the story, Firefox’s Firesheep extension demonstrates that an attacker can shiff packets from a target’s network and copy cookies, sometimes stealing logon information. The https logon might not be effective if the site does not properly encrypt user-related information. (This isn’t an issue for a flat website or blog that does not accept visitors; it probably isn’t an issue for interacting with blogs hosted by reputable service providers including Blogger, Wordpress, and most well-established shared hosting ISP’s; I’m a little bemused by the observation that others on a network could sniff Facebook or Twitter logons, unless they are talking about Facebook and Twitter plugins on other sites, and I would wonder about “wardriving” and wireless issues.) One of the features of https is that, when implemented properly, it allows a site to verify that you are who you say you are; but some sites don’t use https for all phases of this verification. Recent hardware and software advances show that this would not slow down processing. EFF says that “https everywhere” may not fully protect the visitor on websites that haven’t implemented encryption for all phases of their logon verification.

No comments: