Frak Firesheep: The whole Internet needs to run on SSL -- NOW
I used to like cookies. Oatmeal raisin. Chocolate chip. Oreos, if dipped in frosty milk. No longer. I hate cookies, thanks to all the privacy-snooping bits left on my computer -- whether or not I want these crumbs. Today, I've got another reason to hate cookies and to demand that all the frakers sending information in the clear over the Internet cease and desist: Firesheep.
What? You haven't heard about the new Firefox plug-in that lets anyone as capable as four year-olds to snatch your log-in information out of thin air? Well, hell, put down your damn Starbucks cup and disconnect from the open WiFi network (after reading this post, of course)! This plug-in, which quietly released yesterday, is literally hacking for idiots. If you're smart enough to install a Firefox plug-in, you, too, can snatch credentials from backwater, unsecured services -- like Facebook.
Firesheep developer Eric Butler explained just how easy the plug-in is to use: "After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big 'Start Capturing' button. Then wait. As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed...Double-click on someone, and you're instantly logged in as them."
Ah hum. No more cheap coffee and free WiFi at the Internet cafe for me. "One word: Wow," Evelyn Rusli writes for TechCrunch. Rusli is freaking out, too. "It's not hard to comprehend the far-reaching ramifications of this tool. Anytime you're using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat) -- at the click of a button. And you will have no idea."
The problem is this: Most -- not many, seriously most -- Websites using or requiring log-in information send it in the clear over HTTP. Encrypted communications require continuous HTTPS. Apple and Google have it for their Web-based mail services. Some sites that might appear secure probably aren't. When logging into the Wall Street Journal Online, I briefly see flashing HTTPS. But the session is otherwise HTTP.
Butler created Firesheep, so I'll let him explain: "When an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular Website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Emphasis: Open. If your home WiFi network requires a password then your information is encrypted over the air. But sophisticated hackers can bypass some wireless security. HTTPS adds another layer of security for your secure network and provides one on open networks where there is otherwise none. In the case of an HTTP session, even where the log-in is encrypted, the cookie sent back to the computer can be in the clear or repeatedly reaccessed in the clear. Unless the site is HTTPS for the entire session, cookies can expose session log-ins.
Giving Guns to Kids
The plug-in is abominable but not the problem. No commercial Website, particularly those demanding log-in credentials, should send anything in the clear. On that I agree with Butler, who writes: "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."
That's a nice sentiment, but does Butler have to make the point by giving loaded guns to kids? This plug-in can turn just about anybody into a hacker. Just point and click --- and you're dead. Oh, I can just imagine the hacked Facebook sites tomorrow as teens ride other kids' cookies to making fake Wall posts and doing much worse.
I see two problems: Major services being too cheap or too lazy to buy SSL certificates and overuse -- I say abuse -- of cookies. For SSLs, Facebook's official response (given to TechCrunch) is indicative of the problem: "We have been making progress testing SSL access to Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured WiFi networks." Yeah, so much for security being a priority.
Regarding cookies, Wall Street Journal is running a fantastic, investigative "What They Know" series into online security. It's helluva great reporting. Ninth story in the series posted overnight. Contrary to popular convention that tracking services can't or won't identify people using cookies, reporter Emily Steel found a major service that does just that. I also recommend "Sites Feed Personal Details To New Tracking Industry," "The Web's New Gold Mine: Your Secrets" and "On the Web's Cutting Edge, Anonymity in Name Only." All four stories report, at least somewhere, how these frakers use cookies to pilfer personal information.
Who can escape cookies? I pay for Wall Street Journal Online, which is one of the worst cookie poopers I've observed. If I don't accept cookies, I can't access WSJ content. Worse, some services require that the browser accept cookies from third-party domains to work. What the frak?
As bad as cookies are, you know what really pisses me off? When, after setting up a new account at some Web service, I receive confirmation e-mail containing my password. In the clear. WTH?
Fix It: Encrypt It
It's time for serious changes:
1. Major Web services should immediately turn on SSL and provide continuous HTTPS sessions. Google set a great example by doing this with Gmail. Voluntary action should become mandatory, with regulators the world over making rules, if industry doesn't change its behavior.
2. Cookies should be abandoned (outlawed would be better), not that I believe free Web marketers will allow this to happen.
3. There should be a single, standard secure sign-on mechanism built into browsers and other Net connecting software -- no cookies required.
4. It should be (if it's not already) a crime for someone to release a hacking tool that is the equivalent of giving loaded guns to kids. I assert that Butler acted irresponsibly by releasing Firesheep into the wild.
Bottom line: If nothing else changes, the whole Internet needs to run on SSL. Now. It's a drastic approach because of costs involved. If you have a better idea, please share it in comments.