A new Firefox application allows anyone on a network to take control of your Internet identity over a wireless network — even on campus.
Eric Butler, a freelance web application and software developer from Seattle, released the extension for Mozilla’s Firefox browser last week called “Firesheep.” It allows complete access to Internet accounts of popular websites, like Facebook or Gmail, of anyone on a shared wireless network.
The extension was created and released to force companies like Amazon, Facebook, Google and Twitter into increasing their security. The free extension is simple to use, with a one button interface, and is available for Firefox on Windows and Mac OS X computers, according to Butler’s blog.
Kevin Johnson, a security consultant with Secure Ideas, is excited about tools like Firesheep because of the attention it brings to how unsecure the Internet can be.
“We’ve known about this for years.”
Firesheep works by “sniffing” your “cookies” — saved information that allows a website to recognize who you are. The website and your computer exchange a personalized cookie which you show to access other parts of the website.
Firesheep exposes the cookies of users on a network. Even those on secure networks, like UF’s wireless network, are vulnerable.
“Think of it as a key,” Johnson said. “You need your dorm key to get into your dorm.”
The real problem, which Butler is exploiting with Firesheep, is these websites are only encrypted while you log in to your account. Once you’re logged in, the website stops encrypting, you’ll notice the “s” disappear from “https://” in your browser’s address bar, and you’re no longer secured.
At this point, anyone can use your cookie to access your account. The only thing Facebook or Google would have to do to fix this problem is not switch back to “http,” Johnson said.
Facebook issued a statement on Wednesday, which said a more secure option of accessing Facebook will be provided as an option in the coming months.
While Google has secured its e-mail service, Gmail, a Firesheep user can still read e-mails. Once a user leaves the page and looks at videos or does a search, they are no longer secure and someone can get access, Johnson said.
There are a couple of solutions to the problem besides waiting for support from unsecure websites. The Electronic Frontier Foundation has its own extension that forces websites to use “https” rather than “http.” But the extension isn’t supported by all websites and will notify you when you’re browsing an unsecure page, Johnson said.