When a Fix Isn’t a Fix

A bit back I mentioned Firesheep, a Firefox plugin that allowed you to easily steel session cookies on open wireless networks. Frankly this plugin has exploded in popularity (which is the only reason I heard about it) and now people are trying to fix the problem. The problem is simple, websites use unencrypted channels to send authentication information to clients. The only real fix for Firesheep is websites switching from HTTP to HTTPS. Once web site traffic is encrypted Firesheep no longer works, plain and simple.

Instead of legitimate fixes through people are working on hacks to get around Firesheep. Take for example BlackSheep, a Firefox plugin that informs you if somebody on the network is using Firesheep. The problem here is nothing actually getting fixed. The vulnerability still exists and frankly that’s the whole problem. If you want a better fix to avoid getting your session cookie high jacked by Firesheep you can look into using HTTPS Everywhere. HTTP Everywhere isn’t a perfect solution by any means as it only works with specific websites but it’s far better than using something like BlackSheep that will just inform you if somebody is using Firesheep on your network.

The bottom line is what Firesheep does has always been possible. Firesheep simply made a technical task easy enough for anybody to do it, nothing more. Teaching awareness of the problem was the goal and it’s done exactly that will many websites finally talking about rolling out HTTPS secured sites in lieu of their current unencrypted sites.