Protect yourself from FireSheep with HTTPS Everywhere

FireSheep is a new Firefox extension that makes it very easy to take over other people’s Facebook/Twitter/etc logins on public wifi networks. This has always been possible for people familiar with HTTP internals, but FireSheep makes it accessible to a lay person.

The author put out a detailed essay examining the causes of the security issues FireSheep exposes. I highly recommend reading it as a good overview of the issues.

There are two Firefox extensions that will do a lot to protect you from FireSheep and similar tools.

HTTPS Everywhere is one of them. I’ve been using it since the first release. What it does is that forces the secure HTTPS protocol for sites like Facebook and Twitter that offer it as an option but default to HTTP.

The only site I’ve had issues with for HTTPS Everywhere is Wikipedia. Here’s my config with Wikipedia disabled:

HTTPS Everywhere configuration with Wikipedia disabled

The other one that I just found out about is Force-TLS. Whenever it encounters an X-Force-TLS HTTP header, it will force HTTPS connections to that site in the future. This is not immediately useful, but it will become more useful over time as more web sites support HTTPS.

I should mention that your Gmail accounts are safe, as Google wisely made it HTTPS-only earlier this year.

Next steps

One thought on “Protect yourself from FireSheep with HTTPS Everywhere

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s