Learning the wrong lessons from Firesheep

Learning the wrong lessons from Firesheep

Summary: Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now.


According to most media reports Firesheep means you should never use the Internet, never use an open WiFi connection, and certainly never use one for a social networking site like Facebook or Twitter.

(Note: This bit of art, credited to MyBlackSheep, is also deliberately teaching the wrong lesson. It is flying about the Web today, often on false-front sites that seek to download malware to you. I found this one at JackTimes. Don't pet the firesheep.)

These are the wrong lessons. I think they're wrong deliberately. Some people still seem to think that open source and the Internet are genies that can be put back into the bottle, that if people are frightened enough they will flee the Web and go back to print and the TV for their news.

It's not going to happen. Freedom is a feature, not a bug, and those who insist on considering it a bug are not your friends. (I will have more on this later today.)

Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now:

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

(Clever readers will also note that Butler first wrote versions for the Mac and PC, promising a Linux version one fine day.)

Never mind that SSL is pretty low level security. Never mind that good intentions are always misunderstood. Eric is an idealist, this is a demo, he wants action now!

Danny O'Brien of the Committee to Protect Journalists offers the best advice I've seen on Firesheep so far.

  1. Use the https everywhere plug-in so you will have encryption wherever it's available.
  2. If you go on Twitter or Facebook use the https versions of those sites.
  3. Use a virtual private network. Run the unencrypted leg of such a network through Sweden.

Another way around the problem may be an existing Firefox extension called Force-TLS.

Butler's program empowered 104,000 lazy people to download it the first day. (Later updated by Butler to 129,000.) It has also led to a counter-tool called Idiocy, a virtual hand slap that does a session hijack, posts a warning tweet, and then tells victims what to do in order to prevent it from happening again.

In his follow-on blog post, Butler continues to insist he's a good guy interested only in your security, says Firesheep only puts a pretty user interface on tools that already exist, and attacks sites which either charge for use of https or implement it sparingly claiming a performance hit

He also offers a little praise for GMail, which went https-only earlier this year.

Finally, this warning:

You can’t simply avoid visiting the sites that are being attacked here. There’s an enormous amount of mixed content on the web today, such as the Facebook “Like” button, Digg’s “Digg It” button, twitter widgets, and even embedded images that are hosted on Flickr or other photo sharing sites. Every time you access any web page that includes any of this content, your browser also sends any authentication cookies you have with the request to pull down the widget.

Clever users will note such links sit at the top of the page you're now on.

Topics: Collaboration, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Once again, the computer field acts like its own little world

    Just think for a second. Firesheep was created to protest the lack of SSL encryption on some sites. And in the process, thousands of people have been put at risk.

    Imagine if we apply that wild-west logic to something else, like fire safety: Eric Butler creates self-combusting paint to protest the lack of sprinkler systems in residential houses.

    I'm not sure why we even remotely entertain the notion that Eric's actions can somehow be justified. I think it's high time we started treating computer people with the same legal standards as everyone else.
    • RE: Learning the wrong lessons from Firesheep

      @croberts Scapegoating the messenger is always the first recourse, before we consider the problem and work on a solution.

      The problem existed for years before Roberts acted -- all he did was put a user interface on something that already existed.

      I guess everyone who writes a user interface should be licensed by the government and have their work examined by prosecutors before it's allowed out, then.
      • Thanks for the reply, but I disagree


        This is not scapegoating.

        In my fire example, I could argue just as strongly that people are just as much at risk without sprinklers regardless of whether they have fictitious self-combusting paint on the walls.

        The problem is, no one would seriously argue that putting people at risk of having their house burn down is the way to change building codes to incorporate sprinklers.

        You protest, you take out ads... you run for city council.... you know, things that are supposed to happen in a mature democracy where we do things like grownups.

        Yet, here you are saying that Eric Butler is OK to take the immature road to change. I'm just curious why the double standard?
      • RE: Learning the wrong lessons from Firesheep


        Instead of disclosure of the problem itself, Eric Butler made the dangerous software avaliable for absolutely everyone. Maybe the problem could be worked out another way? Firesheep sure won't help to resolve it for minor web-services and sites and, i.e., Facebook users will sure fall victims of Firesheep, which is supposed to "help the users win".
        Loony Gnoll
      • RE: Learning the wrong lessons from Firesheep

        @DanaBlankenhorn Butler had been talking about this for some time. All he really wrote was a user interface for existing malware.

        Think everyone who does a UI should have to register? Is the UI the problem, or the underlying malware? And if no one in a position of authority pays any attention to it when you yell about it from the rooftops, what then? Let people be victimized?
      • RE: Learning the wrong lessons from Firesheep


        You need to stop and consider the term "messenger". This guy didn't run up and tell the king that the castle walls were too short. He went out to all the villages and gave them a trebuchet, and told them they could use them on the castle because its vulnerable. Sure, someone may have figured that out, and some may have the means to exploit it, but now it's easy for everyone to exploit it since they were given the tool.

        "Messenger" versus "Weaponer". Huge, huge difference.
      • RE: Learning the wrong lessons from Firesheep


        IMHO, that's not an accurate analogy. I'd say the villagers already had the trebuchet (or 27), know the castle is vulnerable, know where to find big rocks (or bee hives, diseased corpses, celine dion CDs, etc...) and a few have even successfully landed 17lb medieval bowling balls on the king's breakfast more than once.

        What Butler did was more akin to setting up a big warehouse in the village then made and gave away free bolt-on mods for the trebuchets (yeah, pimp my ride!). It was a big mod that provides an internal combustion engine that moved the trebuchet, power steering, GPS and an automated targeting system.

        Is that a bad thing? Yes, I think it's still a bad thing but I also think we need to be very clear what faults lie where.

        1. Silly king with the lame castle walls - silly websites/company owners with their lame security

        2. Naughty carpenters that built the trebuchet(s) - naughty hackers that wrote the original malware code/scripts

        3. Naughtier mod-kit peddler that built and gave alway the trebuchet mod-kit - naughtier Butler who put an easier to use UI on the existing malware

        Smack all 3 if you like or none but again, place the right fault with the right party.

        @croberts Same deal, it is scapegoatting. I agree with you that there are far better ways to get the message across like I believe protesters have no business blocking major roads downtown delaying my commute to work. However, Butler isn't the only person who did a misdeed here and IMHO, he's not the worse of the three obvious parties either.
      • Eric Butler's a coward

        Why didn't he write a program called <i>"Internet Exposure 8"</i>? <br><br>Because he knew Micro$oft would bitch_slap him silly with legal fees, so the Mozilla Foundation was a soft touch. <br><br>Besides, it's not Mozilla's fault these social websites don't use proper SSL encryption. Why parody a browser that at least offers a plug-in where you can force https logins? It's stupid.
        ahh so
      • More than a messenger!

        @DanaBlankenhorn <br><br>He is also the provider of the tool itself. Now everyone can hack instead of just a few. Chances are a hacker doesn't know you on Facebook but your frenemy does. Anonymous identities are good enough and provide plausible deniability for those hell bent on breaking in. And they want our data in the cloud? Yeah sure.<br><br>What colors does that Hindenburg doping paint come in croberts?<br><br>Another analogy. I just came up with tungsten bullets for all rifles and then email all the police stations that special bulletproof vests should be worn now that everyone can get them easily. Now instead of a select few, who have home loaders, everyone can now kill all that much easier.<br><br>Besides https requires you to truly tell who you are and certs have been forged too. If it has to be that secure, then it is https over a RJ45 connection for important stuff. Facebook is a POS where narcissists divulge all their info anyway.
      • Oh Please

        Eric Butler is a Criminal. The only people supporting him are those who "don't know what freedom is," or to be specific, teenagers / immature adults.

        Right now, Dana, you are using a variant of the "Music Piracy is Good" argument, quite extensively I might add.

        Music Pirates Claim that they're only hurting the "middle man" and empowering the Artists. Similarly, Eric is claiming his tool only hurts Website Owners and Empowers the End Users.

        He ignores by releasing a tool that was intentionally designed to hack into others accounts... AND released as opensource (basically means that he wants people to make variants, that he wants them to do MORE than just what his "proof-of-concept" test does... and that he wants a guarantee that he can't "just be 'shutdown'") that the people he is hurting ARE the End Users.

        But wait, there's more fun. Music Pirates claim that "The Genii is out of the bottle, Piracy is here to stay so fuck off". Freedom IS A BUG! Only obscenely uneducated and immature people claim otherwise.

        What the internet currently represents is anarchy. Youtube is constantly being contacted to pull down copyright infringing media, they hide behind the same laws Wikipedia does so they're not responsible for the media they provide because they don't manage the content... but it doesn't change the fact that their service is used (to no small degree) to illegally distribute copyright protected media.

        It's lewd, but child pornography does exist... I would think that if someone were to start using their services to upload their homemade videos that they'd have a hardtime explaining why they were distributing it.

        Let's take this one step further. I'm a pedophile on an open wireless connection and I use firesheep to hijack a YouTube account. Oh, the possibilities.

        But without resorting to a Slipery-Slope argument... let's get back on point. The internet is currently in a state of anarchy... various sites have their own "governments" which are regulated (typically) by who is the biggest bully "with friends". Take Wikipedia, the community won't take anything you say seriously until you've reached some imaginary level. Take various "forum" sites, even with moderation the community can quickly spiral down into considering cyberbullying "a typical norm".

        I mean, seriously... I was banned from a community for blatantly accusing many "high standing members" for blatantly insulting and publicly humiliating a new member for asking a simple question. The person asking professed to being 13, while those who were taunting and ridiculing him claimed to be over 20.

        How about the freedom to commit libel?

        The Freedom to Steal?

        Document THIS KIND of material?


        I mean, thepiratebay.org exists solely to facilitate the illegal transfer of copyrighted material... yet they claim they're freedom fighters...

        I mean... SERIOUSLY NOW!

        Eric didn't invent anything, he didn't even do anything all that innovative. What he did do was produce and distribute a product that users would download "with the intent of committing an illegal act". This is akin to him giving out Car Remotes that exploits cars that don't use a rolling code. (Rather silly because they all should... but still). Sure, it is "informative" to do so... but all people are going to do with them is steal cars.

        He's trying to claim innocence from malicious intent, because "he only intended for his product to serve as a warning" excluding the obvious fact that "people would download his product to commit crimes".

        You CAN'T keep claiming "It's just a UI, The Genii is out of the bottle, He did nothing wrong". He DID do something wrong... but his CHARISMA (and "bug" that is called freedom) has convinced you otherwise.
    • RE: Learning the wrong lessons from Firesheep

      @croberts Unfortunately, you're placing the blame on the wrong person here. Which is worse, demonstrating a security flaw, or exploiting a security flaw?

      Trust me, if the hackers knew about this exploit before Firesheep went public (and something tells me they did), they wouldn't have said boo to anybody about it; instead they'd have quietly gone about hijacking our Facebook accounts for their own gain, and all of us sheep would have been sheared repeatedly.

      I'd rather see the shears coming and be able to do something about it, personally.
      • RE: Learning the wrong lessons from Firesheep

        Nothing is going to happen as a result of this... they won't update their servers, the idiot who made the program is trying to claim that there is no cost (without reading the fineprint) to adding the service when there actually is (he pulled a few "free" sites, but he refused to comment on anything but what was on the front page of those sites. They certainly wouldn't want to have the traffic google would produce going through without some form of fee.

        Point is, if you actually wanted to, you can tear that persona of his down revealing the pathetic man inside. He wants to act like he's just "sticking it to the man" when all he is really doing is promoting anarchy. He will deny that anyone can seriously get hurt, but will also say that if someone does it's not HIS fault.

        Strange how quickly he twists his words.
    • RE: Learning the wrong lessons from Firesheep


      Yes, because people definitely listen so well when you just tell them about things. People (including you and me) are stupid, you have to force them to act. The fault does not lie with -anyone- but the people who allow the security holes in the first place.
      • RE: Learning the wrong lessons from Firesheep

        @mordocai:<br><br>Right now, we have anti-smoking, anti-drinking, and anti-drug ads. Are they going to prevent people from doing drugs, drinking and driving, and smoking? No.<br><br>Do you know what will? Pulling a Gun upto their face and tell them you'll shoot unless they stop.<br><br>You don't understand the difference between a physical crime and a non-physical crime. (You would claim here that it isn't the same thing, even though it basically is)<br><br>Worse, you might acknowledge that it is a crime, but claim that "no one gets hurt" or "it's just having fun". It's a typical excuse used by Teenagers.<br><br>You can't say that criminals won't use this UI for malice... you can't say that identity theft is ever "just for kicks" you can't say that there is a single reason to encourage others to break the law so that you can "spread a message".<br><br>Eventually, laws will be passed allowing this guy to rot where he deserves. Until then, we have to tolerate his existence.
    • RE: Learning the wrong lessons from Firesheep

      @croberts I think the important thing here that you're failing to emphasise is that bad people have already known about and been exploiting these issues for a long time; Butler has simply armed everybody with the same hoe of destruction.

      It's rather similar to the argument that if guns are outlawed, only outlaws will have guns. Personally, I would prefer that nobody had guns but that's quite impossible.
      Unlike gun control however, the problems here /can/ be fixed, and widespread awareness of them will help.
      • RE: Learning the wrong lessons from Firesheep


        SOME Bad people have had Nuclear Weapons.
        Other Bad people were not so fortunate.

        Then Butler say "Free Nuclear Weapon Day" and gave everyone the bombs they deserved.

        Guns have through licensing and regulations. What he would be doing is handing out "untraceable guns". Though I like the nuclear weapon analogy better.
  • RE: Learning the wrong lessons from Firesheep

    Cute post. I just thought that this post will not be that good before reading, but its worth reading.

    Search Engine Optimization USA
  • The Real Problem is HTTPS and IPv4

    All of the websites in the world can't be encrypted via SSL using IPv4. Now, the important ones sure could and I am quite angry that they are not. Or worse, for example, you go to a site like licensing.microsoft.com and its cert is issued by a revoked CA. Awesome. But I digress...

    Its easy to miss that fact that its technically impossible for all of the websites everywhere to be encrypted. I wish they could, myself. Absolutely everything of mine would be encrypted for certain. However, there can only be one SSL cert per IP address for security reasons and partly due to the design of HTTPS. I don't know of any CAs that will issue a single cert for multiple domains, either. I believe they could do so if they wanted, though. To solve this problem for myself I've gotten wildcard or multi-subdomain certs for my second level domains and just put all of my own services under those domains. Then I can use Apache's vhost_alias module as usual to map domains to content. But I also host tons of domains I don't control on vhost servers. There's no way to implement SSL for those sites because they all share an IP. I'd either have to use a cert for each site and buy tons of (non-existent) IPv4 addresses (which ARIN refuses to sell me) or give all but one site an invalid cert.
    • RE: Learning the wrong lessons from Firesheep

      @cabdriverjim I don't think there is a need to encrypt EVERYTHING. As you pointed out, it's not only technically infeasable, but it's also a bit of overkill.

      However, if a site is expected to store, display, or broker personal information (not just a GUID or other identifier for our computer, or what version of software we're using as a browser) then the responsible thing is for that site to get a valid certificate and use it to power SSL. As far as site hosts are concerned, if a site needs more than one IP/netblock to manage SSL, then that'll factor into their site costs. Perhaps then we won't see such profligate disregard for customer privacy, because it'll cost more money to run such a service in the first place.

      Facebook is such a site, and this isn't the first time Zuckerberg's been caught with his pants down in regards to user privacy. What surprises me is, everybody's getting on Butler's case for pointing out that the Emperor has no clothes on, AGAIN.
    • multi domain Certs exist


      there are many CAs that will issue multiple domain certs, i've purchased several...

      not all that expensive either. godaddy's multi-domain cert starts at 5 domains for $89.99