I personnaly test it and it works..one table away lang ung na access account ko..hmm..i would definitely not used my facebook account in fastfoods and mall again to be safe..!!! But i would be using Force-TLS to counter this firesheep maybe..
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web.
In a post on his site Butler describes how Firesheep works. Once installed, Firesheep displays a sidebar with a “Start Capturing” button. All the user needs to do is connect to an open Wi-Fi network, click the button and as soon as anyone on the network visits an insecure site known to Firesheep, the program captures the cookie that contains their log in details and their name and photo will be displayed in the sidebar. Double click on the displayed user and you’ll be logged in as them and able to wreak all kinds of havoc.
Butler highlights Facebook and Twitter as two of the more popular sites that are vulnerable to sidejacking using Firesheep but the program can also capture cookies from Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, WordPress, Yahoo and Yelp. Additionally, users can write their own plugins to access other unsecured HTTP sites.
Butler says the only effective way to combat the vulnerability Firesheep takes advantage of is for the sites to use full end-to-end encryption, known as HTTPS or SSL but many sites default to the HTTP protocol because it’s quicker. A TechCruch reader claims to have found a workaround using the existing Force-TLS Firefox extension that forces sites to use the HTTPS protocol, thereby making a user’s cookies invisible to Firesheep. But with most people unlikely to be security conscious enough to install it’s hardly a complete solution.
Butler has released Firesheep as open source and it can be downloaded from his site for both Mac OS X and Windows, with a Linux version on the way.
No comments:
Post a Comment