EFF tool provides protection from ‘Firesheep’
ECM Plus – The Electronic Frontier Foundation has just launched a new version of ‘HTTPS Everywhere’, a free security tool with enhanced protection for the Mozilla Firefox web browser against so-called “Firesheep” and other exploits of webpage security flaws.
According to the Foundation, HTTPS secures web browsing by encrypting both requests from the Firefox browser to websites and the resulting pages that are displayed. Without HTTPS, online reading habits and activities are vulnerable to eavesdropping, and accounts are vulnerable to hijacking.
Their report stated that while many sites on the web offer some limited support for HTTPS, it said it was often difficult to use. Websites may default to using the unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. The HTTPS Everywhere tool uses carefully-crafted rules to switch sites from HTTP to HTTPS.
The new free version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user’s web accounts, on social networking sites or webmail systems, for example, if the browser’s connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.
“These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool” commented The Foundation’s senior staff technologist Peter Eckersley. “It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal.”
Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub.
In addition to the HTTPS Everywhere update, the Foundation also released a guide to help website operators implement HTTPS. “Firesheep works because many websites fail to use HTTPS,” said technology director at the Foundation, Chris Palmer. “Our hope is to make it easier for web applications to do the right thing by their users and keep us all safer from identity theft, security threats, viruses, and other bad things that can happen through insecure HTTP. Taking a little bit of care to protect your users is a reasonable thing for web application providers to do and is a good thing for users to demand.”
The first beta of HTTPS Everywhere was released last June. Since then, the tool has been downloaded more than half a million times.
To download HTTPS Everywhere for Firefox:
For more on implementing HTTPS in websites: