Melina Velba Gallerry

Firesheep: how (to do) bite of the personal data on Facebook

Eric Buttler just released a Firefox extension called that supports Firesheep where it hurts for some sites concerned with security of personal data of their users. To feel good, most of its major sites encrypts data when the user authentication password in the clear but then for further exchanges. Then it's "all in the clear" or almost !....

In particular, it requires clear communications when machines online service returns HTTP cookies used to identify the user when he returns to the site and thus avoid entering user / password reconnection. These cookies serve to clear up the mechanisms of buttons such as "Love" from Facebook Users with a clearly identified to ensure effective viral spread to his friends: I had made the explicit demonstration point by point in this post.


partculièrement The case is tragic for Facebook (although Firesheep also works for Twitter, Flickr, Google, etc..) Whose success is huge buttons Like:

• 1 + million sites equipped with less than 6 months. To believe that many publishers have not seen or mock the serious imbalance of the deal proposed by Facebook around these buttons
• 500 + million users assets Service

These two are combined in large numbers by rotating the extension Firesheep (which uses Winpcap to capture packets on the wireless network) in a public place (coffee trendy hall station, etc. .) with an unencrypted public wifi, it makes "miracles": this extension quickly reveals the names / user pictures she captured the cookies that are passed over the wireless network because their owner is now "work" on the same wireless network ..

Indeed, almost everyone is on Facebook, it appears several times a day trip or on a site Like-enabled " especially when he has 5 minutes to spare with his iPhone while waiting for his train ....

Just then click on the names of users to instantly connect to regain their place on their account!

Oooooouch a nasty blow in the groin!

I think we are on the warpath in Facebook to set up the cons-related response: there were already too many blunders (even if necessary ?...) home in the field of privacy!.

There will in my opinion not many other possible responses as established by Google Gmail in January this years: activate end to end encryption via SSL for dealing with the negligence of the other links in the chain of transmission .... The objective

Eric Butler (as my ticket for that matter) is not a solicitation to piracy of personal data but rather to show users the dangers of complacency in terms of protection of privacy so that they are back to "pull the ears" of publishers of online services to force them to correct their weaknesses as their operation is within reach of everyone!

In Facebook's case, it should cost a few thousand additional servers (added a park already expanded ...) because the SSL compression is particularly intensive computing power - if of course it's the solution ....

Source: Media and Tech Blog (by Didier Durand)