Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

Firesheep isn't making headlines anymore, but it's still out there and causing trouble. Fortunately, there's a new version of HTTPS Everywhere to help block it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Firesheep, the all too easy-to-use Web snooping tool, continues to expose the disaster that is modern Web site security. Sooner or later, a lot of people are going to lose a lot of valuable information to hackers using Firesheep and scream to high heaven about it. Then, and only then, will Web server administrators start offering HTTPS all the time.

You, however, don't have to be one of those victims. There are already tools that will help protect your Web wandering from Firesheep. One of the best of these, the Electronic Frontier Foundation's (EFF) HTTPS-Everywhere, has recently had a major upgrade.

As far as I'm concerned, this latest version is a must for anyone who uses public Wi-Fi spots and doesn't have the luxury of using a virtual private network (VPN). HTTPS-Everywhere forces many popular Web sites to let you connect to them with Transport Layer Security (TLS); Secure Sockets Layer (SSL); or TLS/SSL over HTTP (HTTPS).

In addition to providing better protection for Facebook, Twitter and Hotmail accounts, this version also adds protection for bit.ly, the popular URL shortening site; the Amazon Web Services (AWS) cloud service; Cisco; Dropbox, the online backup and file-sync site; Evernote; the Web-based note-taking system; and Github, a popular distributed version control system. Speaking as someone who uses Dropbox all the time and many of these other Web sites every now and again this makes HTTPS-Everywhere a must on all my laptops.

That's the good news. The bad news is that Facebook gives HTTPS-Everywhere problems. To protect yourself on Facebook to the best of HTTPS-Everywhere's abilities you need to Turn on the "Facebook+" rule. You do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It's not on default, because it can cause some Facebook Apps to break. A more significant problem for some users is that Facebook chat won't work at all with a HTTPS connection. Personally, I'd rather be safe than sorry, but if you like to live dangerously on public networks you can turn off the Facebook+ rule and take your chances.

You should also keep in mind that if a Web site doesn't support SSL, TLS, or HTTPS, and many don't, there's not a darn thing that HTTPS-Everywhere can do to protect you. I'm also sorry to report that HTTPS-Everywhere still works only with Firefox. Other popular Web browsers, such as Internet Explorer, Chrome, and Safari, don't, at this time, allow for the kind of URL rewriting that HTTPS-Everywhere uses to make sure that secure connections are always used when they're available.

On the plus side, the EFF has also made it possible to XML-savvy users to write their own rules for sites that support secure connection but aren't currently supported by HTTPS-Everywhere. After testing your rule sets, you're invited to share them with the EFF so that they can be included in future HTTPS-Everywhere releases.

Now, if only more Web sites offered secure connections by default we'd be a long way to solving the problems that Firesheep has uncovered. Since I don't see any rush by Web-site administrators to make their sites more secure, programs like HTTPS-Everywhere are still only going to be band-aids on the Web's privacy and security wounds.

Editorial standards