[This post is authored by SOIS PhD student Nick Proferes; access other student posts here.]
A threat to individual online privacy often serves as a call to digital arms. It’s been nearly a month since the Firefox Add-On “FireSheep” was released into the wild. For those of you who are not familiar, the program, written by Eric Butler, is an addition to the Firefox web-browser that facilitates the interception of session cookies transmitted in plaintext over unencrypted networks, and then facilities subsequent session side-jacking based on those cookies.
Put more simply, this is a program that could enable an unscrupulous individual to sit at the local coffee-shop that offers unencrypted Wi-Fi, and intercept Facebook or Twitter session logins. With these stolen session logins, that unscrupulous individual can access the unsuspecting person’s accounts, revealing not only friend networks and updates, but also enabling our unscrupulous individual to pose as the unsuspecting person, and as far as the social networking world is concerned, be that unsuspecting person. All accomplished in less than a handful of clicks.
On the flip-side of the coin, this software could also let someone sit at home on his or her own personal network, conduct vulnerability testing, and explore just how perilous unencrypted Wi-Fi can be, certainly a legitimate use. At the time of writing this article, the program had been downloaded 914,159 times. In the event that you fear that all 914,159 copies of are not being used in this legitimate manner, there are tools available, such as the Electronic Frontier Foundation’s “HTTPS Everywhere”, that can help to protect your browsing experience by defaulting your browser to use HTTPS where available (we will talk more about HTTPS shortly).
Many have criticized the release of the software, as it significantly decreases the barriers and knowledge necessary to gain access to another person’s social networking account without their consent. By making it so easy, some would contend, it tempts the innocent into highly unethical and possibly illegal behavior. Did Butler release this software just to create havoc, to see if we would turn into a society bent on spying on each other, invading each other’s privacy?
No. Butler contends that by releasing this software, he is increasing pressure on website administrators and architects to use HTTPS, an encrypted version of the HTTP protocol used to browse the web. In his own words, he states that, “The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL”, and that, “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. “ By releasing this software, Butler is hoping to exert pressure on the architectural decision-makers at sites like Facebook and Twitter, in order to enact a change in the way they do business: to goad them to use HTTPS by default, by demonstrating how insecure HTTP is.
There is a long and sordid history of programmers releasing software that highlights a security hole or exploit. While many take the view that releasing tools like FireSheep simply enables unethical behavior, in many circles, releasing software that exploits these holes is a form of activism that pushes other coders to make more secure their websites, their software, and their infrastructure. Butler’s code is a call to arm the web with encryption.
At the same time, Butler may not go far enough in advocating for a more secure browsing experience. While employing HTTPS within cookie exchange solves one specific issue, it is security that only exists at one level in a heap of protocols. Encouraging locales that offer unencrypted Wi-Fi to consider changing to encrypted systems would throw an additional roadblock into the way of would-be snoopers. It’s a fairly straightforward solution that would help create thickness in individual privacy. After all, if Wi-Fi draws customers into coffee shops, wouldn’t the ability to browse the web knowing you were secure make that latte even sweeter?