Over the years, there has been a steady progression of polished, easy to use tools that have lowered the bar for hackers. Firesheep is a good example of one such tool. Firesheep was designed to highlight how many web sites use weak authentication that is vulnerable to sniffing. While it is a common practice for web sites to secure the initial login, many leave cookies and additional communication in the clear. By simply sniffing and capturing these cookies, the user’s credentials can be easily sidejacked.
Firesheep operates as a Firefox add-on and goes a long way in demonstrating that too many web sites don’t sufficiently protect their users. This is not the first tool to offer this functionality. Commercial tools such as Silica, and free offerings like, Hamster, previously demonstrated these types of attacks are possible. What Firesheep does so well is make the attack far too easy for even a script kiddie to launch. It also highlights the continued failure by many to take network security seriously.
To install the tool, the user needs to download the firesheep-0.1-1.xpi file and then install it in Firefox. Windows users will also need to install Winpcap. Once these two steps are completed, all that is needed is to open the Firesheep sidebar in Firefox and set the tool to capture. The only real fix for the problem that Firesheep has once again exposed is encryption.
Until long term fixes are developed users must rely on tools such as HTTP-Everwhere, Force-TLS, and VPN’s. I hope the release of this tool serves as a wakeup call to the many organizations on the web that have failed to provide adequate protection for their users. Only time will tell if this proves to be true.