HTTPS Everywhere gets Firefox "Firesheep" protection

Electronic Frontier Foundation offers protection for Firesheep, other vulnerabilities

The Electronic Frontier Foundation (EFF) today said it rolled out a version of HTTPS Everywhere that offers protection against "Firesheep" and other tools that seek to exploit webpage security flaws.

Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors' log-in credentials.

What's up with encryption?

HTTPS secures Web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, users' online reading habits and activities are vulnerable to eavesdropping and hijacking, EFF states.

EFF says the new version of HTTPS Everywhere (0.9.x) is a direct response to growing concerns about website vulnerability in the wake of Firesheep on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough.

"These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool," said EFF Senior Staff Technologist Peter Eckersley in a statement. "It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal."

EFF says that HTTPS Everywhere now protects site such as Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly. Websites may default to using the unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. EFF's HTTPS Everywhere tool uses carefully crafted rules to switch sites from HTTP to HTTPS, the company stated.

Firesheep creator Eric Butler wrote on his blog during the recent storm of protest:  

"I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: 'Is it legal to access someone else's accounts without their permission'."

Follow Michael Cooney on Twitter: nwwlayer8  

Layer 8 Extra

Check out these other hot stories:

Space X gets first private FAA reentry license from space

The battle for space shots heats up on the ground

10 free iPhone apps for spectacular stargazing

NASA, Google, Microsoft, Yahoo!, World Bank team to offer hackathon

World Toilet Day spotlights the throne

Cisco co-founder now talks, lives, breathes turkey

NASA satellite shows comet throwing off cosmic snowstorm

US court eJuror system could lead to whole new list of jury duty excuses

Who will build the next enterprise architects?

DARPA taps Carnegie Mellon to build "flying car" brains

Satellite moved to die a quicker death, reduce space junk

The tribe spoke: Former Yahoo! exec. gets booted off "Survivor"

IBM: New chip-making technology will boost Internet core

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies