Firesheep: A Firefox Network-Sniffing and Hijacking Plugin

This is a big deal: Firefox extension makes social network ID spoofing trivial.

It would, I gather, be a serious violation of the University of Miami acceptable use policies for me to test drive this at work, so I can't report on how it does. But if anyone has tried this out somewhere else, please let me know in the comments if it works as advertised.

The author of the article optimistically suggests that having something like this in the wild will cause a revolution in site security. That may work at the very highest profile sites like Facebook, but overall, that's just a dream, unfortunately.

I just hope that using a VPN protects against this. (I think it will.)

(Thanks to TB for putting me on to this.)

This entry was posted in Software. Bookmark the permalink.

2 Responses to Firesheep: A Firefox Network-Sniffing and Hijacking Plugin

  1. Mhc says:

    If you’re connected to a public wireless network and use a VPN to conduct your online activity, the VPN should protect you from sniffers on the wireless network.

    Depending on how the VPN is configured however, it may not protect you from sniffers on the other side of the connection. If after you establish the VPN, you’re connected to your corporate network just as any other user on-site, a sniffer attached to the network at that point could hijack your session.

    In addition to the VPN, your best bet is to require sites to use SSL. With Firefox, there are a couple extensions that provide such functionality, including Force-TLS (https://addons.mozilla.org/en-US/firefox/addon/12714) and the EFF’s HTTPS Everywhere (https://www.eff.org/https-everywhere).

  2. Thanks for passing this along. Very helpful and timely for us!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.