Firesheep spit-roasted by Twitter

David Heath
Wednesday, 16 March 2011 13:32

Business IT - Security

After what seems like an eternity (punctuated by the 'hacking' of Ashton Kutcher's account) Twitter has finally enabled HTTPs on their web site.

In late October 2010, the Internet was awash with tales of the Firefox plug-in "Firesheep" which was able to steal authentication secrets from anyone's open WiFi connection to any website that used session cookies; this included Twitter and Facebook amongst many others  Soon after, vendors started to offer temporary solutions, one of which was Blacksheep from Zscaler.

To recap the problem; after establishing one's credentials with a website by transmitting a valid username and password, a simple cookie is used to persist the authentication.  At no time is this process secured via SSL.

To make matters worse, if you're communicating with this website (perhaps it is a popular webmail or social media site) on a public Wi-Fi network everything you transmit is in the clear and can be captured by anyone.

Now it's possible that a malefactor may have missed your authentication transaction, but that doesn't matter - the session cookie is exchanged with every transaction and is ripe for the picking.

Finally, Twitter has enabled HTTPS connections; but not by default.

iTWire suggests you RUN (don't walk) to twitter.com (using a wired connection of course!) log in, go to the settings page and at the bottom is a new option "Always use HTTPS."  Tick the box and click Save.

Read on for some of the limitations in this.