Firesheep Puts Heat on Online Companies to Use HTTPS

Editor’s note: This is a guest post by Aaron Brauer-Rieke from the Center for Democracy & Technology (CDT), a non-profit public interest organization based in Washington, DC. For more on online consumer privacy, visit CDT’s Take Back Your Privacy page.

A sneaky application called Firesheep has been getting a lot of attention 
in privacy and security circles the last couple of weeks. It’s an urgent reminder that online services must provide proper security to their users.

Firesheep allows a network eavesdropper to hijack another user’s unencrypted session by sniffing packets and obtaining that user’s cookie. This means that, by default, accounts on Facebook, Twitter, Flickr, and many other popular sites are vulnerable to tampering. This vulnerability is particularly acute on public wifi networks like those at coffee shops.

  The problem, called session hijacking, isn’t a new one, but the technology to protect against it is within reach. An encrypted connection between a user and a website, colloquially referred to as HTTPS, can provide substantial protection. Payment processors, banks, and other types of websites that have a stake in protecting their customers’ data regularly use HTTPS.

The real story here is the fact that so many popular websites still don’t provide HTTPS to their users by default.

Web firms are gradually wising up to the importance of HTTPS. Earlier this year, Google made HTTPS encryption the default for Gmail. In the wake of Firesheep, Facebook is taking steps to provide better security for its users. A spokesperson recently said Facebook has been “making progress testing SSL access across Facebook and hope to provide it as an option in the coming months.” Similar discussions are likely taking place across the industry.

The costs of transitioning to HTTPS vary, but encrypted connections are becoming more feasible and cost effective every day. There are a few potential downsides: Latency can be increased by encryption and some web services are coded in a manner that makes the transition to HTTPS more strenuous. However, Adam Langley, a Google engineer, has argued that HTTPS is simply “not computationally expensive any more.”

It’s time for online companies and services to start taking HTTPS seriously. Hacking tools are becoming increasingly common and user friendly; ignoring them is no longer an option. It’s true that not all websites really need encryption. For example, basic blogs and news sites don’t handle sensitive information. However, social networks, communications platforms, and any other websites handling personal data should be thinking hard about making the transition to HTTPS. If users don’t feel secure, they might abandon an online service for a safer destination.

tag TAGS: , ,
Short URL:
b2p Ensure that you follow us on Twitter and Like us on Facebook
Hercules holds a B.Comm Finance from Ryerson University in Toronto, Canada. He is a Chartered Financial Analyst (CFA) level 3 candidate. He was previously a contributor at FiLife, a finance website owned by Dow Jones and IAC. Write to [email protected]
We are perfectly committed to the highest ethical and professional codes of conduct and standards in the industry on a firm wide basis. Learn more about us, our contributors, and our governance
We encourage you to comment. Comments are moderated. Comments that are abusive, off-topic, have marginal substance, or include promotional content will be removed. We cannot facilitate requests to edit or remove comments, or explain moderation decisions

Business 2.0 Press publishes exclusive business tech news and analysis covering start-ups to large-caps from Bay & Wall streets since 2008 from a group of highly knowledgeable industry professionals that abide by the toughest industry codes of conduct and professional standards lightMore

lightAdd value by subscribing (RSS)

logo has the most stock ratios for public companies. Get the most comprehensive micro insight on public firms available on the web, all for free.
Stock Fractionsgo


Colon cancer is one of the leading causes of death. Irrespective of family history, everyone is exposed to the risk. About 90% of colon cancer cases begin from non-cancerous tumors, polyps, which could form in the large bowel. Screening with a colonoscopy will painlessly remove any polyps hence almost entirely reducing your risk of developing the horrible disease. The good news is that about 90% of colon cancer cases are preventable through a simple (yes, simple) colonoscopy.
Learn moreatom
Public service message from Business 2.0 Press