Firesheep Puts Heat on Online Companies to Use HTTPS

Editor’s note: This is a guest post by Aaron Brauer-Rieke from the Center for Democracy & Technology (CDT), a non-profit public interest organization based in Washington, DC. For more on online consumer privacy, visit CDT’s Take Back Your Privacy page.

A sneaky application called Firesheep has been getting a lot of attention 
in privacy and security circles the last couple of weeks. It’s an urgent reminder that online services must provide proper security to their users.

Firesheep allows a network eavesdropper to hijack another user’s unencrypted session by sniffing packets and obtaining that user’s cookie. This means that, by default, accounts on Facebook, Twitter, Flickr, and many other popular sites are vulnerable to tampering. This vulnerability is particularly acute on public wifi networks like those at coffee shops.

  The problem, called session hijacking, isn’t a new one, but the technology to protect against it is within reach. An encrypted connection between a user and a website, colloquially referred to as HTTPS, can provide substantial protection. Payment processors, banks, and other types of websites that have a stake in protecting their customers’ data regularly use HTTPS.

The real story here is the fact that so many popular websites still don’t provide HTTPS to their users by default.

Web firms are gradually wising up to the importance of HTTPS. Earlier this year, Google made HTTPS encryption the default for Gmail. In the wake of Firesheep, Facebook is taking steps to provide better security for its users. A spokesperson recently said Facebook has been “making progress testing SSL access across Facebook and hope to provide it as an option in the coming months.” Similar discussions are likely taking place across the industry.

The costs of transitioning to HTTPS vary, but encrypted connections are becoming more feasible and cost effective every day. There are a few potential downsides: Latency can be increased by encryption and some web services are coded in a manner that makes the transition to HTTPS more strenuous. However, Adam Langley, a Google engineer, has argued that HTTPS is simply “not computationally expensive any more.”

It’s time for online companies and services to start taking HTTPS seriously. Hacking tools are becoming increasingly common and user friendly; ignoring them is no longer an option. It’s true that not all websites really need encryption. For example, basic blogs and news sites don’t handle sensitive information. However, social networks, communications platforms, and any other websites handling personal data should be thinking hard about making the transition to HTTPS. If users don’t feel secure, they might abandon an online service for a safer destination.