MORE FIRESHEEP fun is to be had as one of its creators has blogged to say that future versions are still to come.
The extension for Firefox that is Firesheep caused a wave of Internet gibbering when it was released at the weekend and shown to allow people to grab personal data from social notworking websites. As of yesterday, over 120,000 people had downloaded the app, and probably not for highly moral purposes, either.
Firesheep was created by Ian Gallagher, an IT worker in the insecurity field, and his pal Eric Butler, a freelance web applications software developer based in Seattle. They wanted to raise the issue of HTTP session hijacking, which has been known to be a problem for at least six years, and is the basis of how Firesheep works.
In a moment of understatement, not something Americans are known for, Butler said on his blog on 26 October, "I thought there might be moderate interest".
Butler goes on to criticise website owners for just encrypting the initial use of the username and password and not the subsequent cookie that's returned. To protect against the vulnerability that Firesheep exploits would simply require websites to support full encryption everywhere. Alas, the big beasts of the Internet jungle haven't been bothered.
To quote Butler, "These sites fail to protect you because after you've authenticated, you're issued a cookie that identifies you throughout your browsing session." He should have added, "these so called professionals that make schoolboy errors".
Apparently pleased with his new-found fame and the widespread interest in Firesheep, Butler said, "Keep an eye on this blog as well as my Twitter feed for updates on these issues and other new features." We certainly will, with slightly more than casual interest. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted