Microsoft contemplating SSL for Bing
Posted on 29 October 2010.
HTTP session hijacking as a possibility and tools to execute it have been around for more than half a decade, but it took an easy-to-use Firefox add-on like Firesheep to point out "the elephant in the room" - the lack of full-end encryption on popular sites such as Facebook, Twitter, Yahoo, Bing, and many others.

"Sniffing out" unencrypted HTTP sessions on a network segment, hijacking them and impersonating the user has suddenly become possible for everyone - even for those who know next to nothing about the underlying technology or are the most low-level users.

Four days after Firesheep has been made available, over 400,000 users have downloaded it and satisfied their curiosity. Some of them have probably used it for more than that - who knows how many unethical and illegal things were done with the information that was accessed through its use? But that is beside the point, because things like that happened before Firesheep - the only difference was that one had to be moderately tech-savy to do it.

"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Eric Butler, one of the developers of the add-on.

"The real story here is not the success of Firesheep but the fact that something like it is even possible, says Ian Gallagher, Butler's co-presenter of Firesheep at Toorcon. "The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheepís success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."

Both of them might just see their wish fulfilled. According to a NetworkWorld blogger, Microsoft is looking into implementing SSL in future release of Bing. And I'm betting that other companies and online services are looking into it.

As stated before HTTP session hijacking is not a new thing, and many tools that make it possible have surfaced over the years. "Firesheep is doing the exact same thing as these other tools, but with a simpler user interface," says Gallagher. "Because of its simplicity, Firesheep has already succeeded in demonstrating the risks of insecure websites to a much wider audience than any previous tool, in a single day."

And that, my friends, is the real value of this controversial extension.






Spotlight

The context-aware security lifecycle and the cloud

Posted on 25 November 2014.  |  Ofer Wolf, CEO at Sentrix, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Nov 26th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //