A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security.
Firesheep, which was unveiled at the ToorCon security conference last month by Eric Butler, collects session information that is stored in a web browser's cookie. The session information is easily collected if transmitted back and forth between a user's computer and an unencrypted Wi-Fi router while a person is logged into a web service such as Facebook.
While most websites encrypt the traffic transmitted when logging into a website, most then revert to passing unencrypted information during the rest of the session, a weakness that security analysts have warned of for years, particularly for users of public open Wi-Fi networks.
Firesheep identifies that unencrypted traffic and allows an interloper to "hijack" the session, or log into a website as the victim with just a couple of clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less sophisticated users a powerful hacking tool.
Zscaler's The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users make a more informed security decision about their behaviour while on an open Wi-Fi network.
Once Firesheep has intercepted someone's session credentials for a website, it makes a request to that site using the same cookie values. Blacksheep plays on this by making HTTP requests every five minutes to those sites monitored by Firesheep, but using fake cookie values. If Blacksheep then detects Firesheep making a request to the site using the same fake cookie values, it can raise a warning, Zscaler said.
Security analysts have recommended that websites encrypt all traffic, but many sites have been unwilling to do it because of the extra processing power needed to maintain encryption. However, there has been progress: In January, Google turned on HTTPS encryption for all users of its Gmail service, where previously it had only been an option.
Other defences against Firesheep include simply not using open Wi-Fi networks. If that's not an option, the Electronic Frontier Foundation built a Firefox add-on called "HTTPS Everywhere," which will automatically trigger an encrypted session with those websites capable of providing one. A VPN connection can also thwart attacks.