Learning the wrong lessons from Firesheep

Summary:Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now.

According to most media reports Firesheep means you should never use the Internet, never use an open WiFi connection, and certainly never use one for a social networking site like Facebook or Twitter.

(Note: This bit of art, credited to MyBlackSheep, is also deliberately teaching the wrong lesson. It is flying about the Web today, often on false-front sites that seek to download malware to you. I found this one at JackTimes. Don't pet the firesheep.)

These are the wrong lessons. I think they're wrong deliberately. Some people still seem to think that open source and the Internet are genies that can be put back into the bottle, that if people are frightened enough they will flee the Web and go back to print and the TV for their news.

It's not going to happen. Freedom is a feature, not a bug, and those who insist on considering it a bug are not your friends. (I will have more on this later today.)

Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now:

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

(Clever readers will also note that Butler first wrote versions for the Mac and PC, promising a Linux version one fine day.)

Never mind that SSL is pretty low level security. Never mind that good intentions are always misunderstood. Eric is an idealist, this is a demo, he wants action now!

Danny O'Brien of the Committee to Protect Journalists offers the best advice I've seen on Firesheep so far.

  1. Use the https everywhere plug-in so you will have encryption wherever it's available.
  2. If you go on Twitter or Facebook use the https versions of those sites.
  3. Use a virtual private network. Run the unencrypted leg of such a network through Sweden.

Another way around the problem may be an existing Firefox extension called Force-TLS.

Butler's program empowered 104,000 lazy people to download it the first day. (Later updated by Butler to 129,000.) It has also led to a counter-tool called Idiocy, a virtual hand slap that does a session hijack, posts a warning tweet, and then tells victims what to do in order to prevent it from happening again.

In his follow-on blog post, Butler continues to insist he's a good guy interested only in your security, says Firesheep only puts a pretty user interface on tools that already exist, and attacks sites which either charge for use of https or implement it sparingly claiming a performance hit

He also offers a little praise for GMail, which went https-only earlier this year.

Finally, this warning:

You can’t simply avoid visiting the sites that are being attacked here. There’s an enormous amount of mixed content on the web today, such as the Facebook “Like” button, Digg’s “Digg It” button, twitter widgets, and even embedded images that are hosted on Flickr or other photo sharing sites. Every time you access any web page that includes any of this content, your browser also sends any authentication cookies you have with the request to pull down the widget.

Clever users will note such links sit at the top of the page you're now on.

Topics: Collaboration, Social Enterprise


Dana Blankenhorn has been a business journalist since 1978, and has covered technology since 1982. He launched the Interactive Age Daily, the first daily coverage of the Internet to launch with a magazine, in September 1994.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.