The session hijack tool, Firesheep, is rightly drawing a lot of attention. I saw this ComputerWorld article, via Hacker News, that explains remarks from Mike Beltzner, the Firefox project director. Basically, Mozilla will not use its black list mechanism to block the dangerous add on. The reasoning is that it doesn’t directly exploit any security problems within the browser itself. Further the add on is not an approved one listed in Mozilla’s central registry, rather it is being directly distributed by Eric Butler, its author. Mozilla’s black list may not be effective against it as it doesn’t rely on their distribution channel.
Blocking Firesheep won’t help the issues that Butler intended it to raise. In the post about Firesheep on Mozilla’s security blog, Sid Stamm points out that Firesheep is an add on, versus a standalone software tool, is largely irrelevant. The problem has been well hashed over in a number of posts to which I’ve linked. To recap quickly while initial login requests are usually encrypted, subsequent interactions with sites like Facebook, Twitter and others are not encrypted but expose session cookies in the clear. Those cookies are what Firesheep is able to capture and use to hijack users’ sessions despite their actual login being totally secure.
EFF has another excellent write up of the lesson of Firesheep: web sites that rely on persistent identification of their users need to do more than just protect the initial login. They recommend, as I did early, use of the HTTPS Everywhere add on for Firefox. The Mozilla Security Blog post, linked above, has a few other options if you are brave enough to use the Firefox 4 beta like me.
The biggest problem I have run into with forcing SSL where I can is that many sites clearly are not tested with encryption always on. Thankfully, none of the sites I found to be broken, like Facebook, are all that important. Hopefully part of the attention Firesheep draws and the subsequent increase in users forcing SSL will pressure sites that break to provide fixes or better yet default to SSL while their users are logged in.
Mozilla: No ‘kill switch’ for Firesheep add-on, ComputerWorld