The new version of the Electronic Frontier Foundation’s excellent HTTPS Everywhere browser tool specifically protects against having your credentials to many popular sites lifted with Firesheep (as well as by deliberately malicious tools that actual bad guys make). Wherever a site allows for SSL throughout your session, HTTPS Everywhere will add this. I was recently at EFF and asked Seth Schoen, a staff technologist, to print my boarding card for the next day’s flight from his computer. It took a long time. When I asked why this was, Seth told me that he’d realized that Continental didn’t use SSL to transmit boarding cards by default, but that they supported it, so he was adding a HTTPS Everywhere rule to make sure all the HTTPS Everywhere users who used Continental’s boarding pass service would be protected in future. EFF is adding new sites by the shovel-load, making the free/open HTTPS Everywhere indispensable.
This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user’s web accounts — on social networking sites or webmail systems, for example — if the browser’s connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.
“These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool,” said EFF Senior Staff Technologist Peter Eckersley. “It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal.”
EFF Tool Offers New Protection Against ‘Firesheep’