The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant and freelance web application and software developer, has released a new Firefox add-on over the weekend called Firesheep that aims to highlight the lack of security surrounding user logins and cookies on popular websites such as Facebook.
It's no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What's less clear is how much information is floating out there in the either, especially with the rise of "Web 2.0" and rich social networking applications and other Web based sharing tools.
Firesheep can be added to Firefox just like any other add-on. Once installed it displays a new sidebar that displays information about individual users logged into sites like Facebook when connected over an unsecured and open network. If a user pops up in this sidebar Firesheep allows you to login as them with a double-click of your mouse. It’s that simple.
Firesheep works due to poor security on the part of the website. While a user’s username and password may be protected with SSL encryption, the cookie the site uses is not in a lot of cases once that login has been successful. So once a user has logged in it is a simple task of hijacking the unprotected cookie taking over their account for that session.
If you want to protect against Firesheep then the first thing to do is ensure the wireless network you are connecting through isn’t open and protection is enabled. TechCrunch also has a post of a possible way to protect your login from Firesheep if you do need to use an insecure and open network.
The solution really needs to come from the website offering the login and cookie, though. Protection should not just be on the initial login, but on the entire session using HTTPS or SSL.