But the implications are serious. Firesheep allows a user to EASILY sniff traffic over an open WiFi network, and steal cookies -- basically, your login authentication for Facebook, Google, Amazon, Flickr, CNET, the New York Times, Twitter, yahoo, and a ton of other websites that don't use secure protocols like https or SSL. A well-written demonstration of using this can be found here -- just plop yourself down at the nearest Starbucks and send polite warning messages to the 20+ Facebook and Amazon accounts you can access. Watch their response.
There's a big reason I put EASILY in the above paragraph in CAPITAL LETTERS. Other tools for doing this (known as sidejacking) have been around for years (it was first demo'd at a BlackHat presentation in August of 2007), but none have never been as user-friendly and intuitive as Firesheep. This is a plug-in for Firefox (hence the "fire" in firesheep), and someone's account can be accessed within about 10 seconds and a double mouse click. It's that simple. To quote an oft-used Apple idiom, It Just Works.
Many tech folks are dismissing this as yet another tool to exploit something we've already known. And maybe they're right. But I believe they're underestimating the value of making things user friendly. The gold standard of this is Apple:
- They were not the first to invent the Personal Computer -- the window-based interface just made it easy to use.
- They were certainly not the first to invent the mp3 player -- they just made it easy to use, in a cool form factor.
- They were not the first to invent the smart phone -- they just made it easy to use.
See a trend here? I think Firesheep could develop the same way. And although it may not appeal to everyday, innocent users of The Internets like you and me, I bet it has an incredibly strong appeal to pimply-faced technologically inclined teenagers. And all it takes is some enterprising youth to camp out in a Beverly Hills Starbucks and wait for an unsuspecting celebrity to log in. Instant tabloid news story, similar to the episode when Paris Hilton's smartphone got hacked over Bluetooth.
In a worst-case scenario, this would spook 95% of Facebook users, who run screaming from the site and dump their accounts before Facebook implements a solution. Panics have happened on Wall Street many times; we're probably due for one on the Internet soon, too.
How to protect yourself against this?
- There's already a counter program out there called FireShepherd, but it's kind of brute-force and not very user friendly. Or network friendly. But it's better than nothin'.
- Make sure your gmail is set to always use https.
Just be aware of what's out there. There's a whole lot of Not Privacy on the internet.