Protect yourself from FireSheep with HTTPS Everywhere

FireSheep is a new Firefox extension that makes it very easy to take over other people’s Facebook/Twitter/etc logins on public wifi networks. This has always been possible for people familiar with HTTP internals, but FireSheep makes it accessible to a lay person.

The author put out a detailed essay examining the causes of the security issues FireSheep exposes. I highly recommend reading it as a good overview of the issues.

There are two Firefox extensions that will do a lot to protect you from FireSheep and similar tools.

HTTPS Everywhere is one of them. I’ve been using it since the first release. What it does is that forces the secure HTTPS protocol for sites like Facebook and Twitter that offer it as an option but default to HTTP.

The only site I’ve had issues with for HTTPS Everywhere is Wikipedia. Here’s my config with Wikipedia disabled:

HTTPS Everywhere configuration with Wikipedia disabled

The other one that I just found out about is Force-TLS. Whenever it encounters an X-Force-TLS HTTP header, it will force HTTPS connections to that site in the future. This is not immediately useful, but it will become more useful over time as more web sites support HTTPS.

I should mention that your Gmail accounts are safe, as Google wisely made it HTTPS-only earlier this year.

Next steps

Published by

Leons Petrazickis

I’m a full-stack developer at IBM Digital Business Group. I do Ruby, Node, Python, Hadoop, Spark, as well as web scale devops with Docker and Terraform.

My opinions are my own.

One thought on “Protect yourself from FireSheep with HTTPS Everywhere”

Comments are closed.