Two weeks ago, an automatic session-hijacking plugin was released for Firefox. It was named Firesheep
, and it's been downloaded over 600,000 times so far.
The decision to release Firesheep publicly is a controversial
one. On the good side, it's reminded people that some of their common web surfing habits are dangerously insecure.
Many websites use HTTPS (secure HTTP) for login, which protects your password. But they revert to insecure HTTP for the rest of the session. After you have logged in, security relies on the browser sending a session cookie - a secret authentication token - in every request.
Websites which send session cookies in unencrypted HTTP requests are exposing your login credentials - albeit only for one session - to anyone else nearby on the network. If you're on an unencrypted WiFi connection, for example at a local coffee bar, then anyone within range of the WiFi access point can hijack your login.
Since Firesheep proves just how dangerous it is to send session cookies in insecure network packets, it is likely to push businesses such as Facebook and Twitter to adopt HTTPS as an all-session default much sooner than they might otherwise have done.