Sophos Labs: Two weeks ago, an automatic session-hijacking plugin was released for Firefox. It was named Firesheep, and it’s been downloaded over 600,000 times so far.
The decision to release Firesheep publicly is a controversial one. On the good side, it’s reminded people that some of their common web surfing habits are dangerously insecure.
Many websites use HTTPS (secure HTTP) for login, which protects your password. But they revert to insecure HTTP for the rest of the session. After you have logged in, security relies on the browser sending a session cookie – a secret authentication token – in every request.
Websites which send session cookies in unencrypted HTTP requests are exposing your login credentials – albeit only for one session – to anyone else nearby on the network. If you’re on an unencrypted WiFi connection, for example at a local coffee bar, then anyone within range of the WiFi access point can hijack your login.
Since Firesheep proves just how dangerous it is to send session cookies in insecure network packets, it is likely to push businesses such as Facebook and Twitter to adopt HTTPS as an all-session default much sooner than they might otherwise have done.
On the bad side, those 600,000 downloads of Firesheep are 599,999 more than were strictly needed for the software to prove its point.
The author of Firesheep, Eric Butler, is unrepentant about releasing the tool. He’s publicly commented that, “like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends.”
He’s also aghast that Microsoft has started detecting his software as a potential threat, ranting that “by installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer.”
Butler wants to have his cake and eat it.
He’s suggesting that anyone who consents to install his tool – even though its primary function is to hijack other people’s accounts – should be free to do so. Indeed, in his own blog, he offers the viewpoint that “code is a form of speech, and the freedom of speech must remain protected.” (As it happens, I don’t disagree.)
But he vigorously denies the right to Microsoft – and all other security companies – to express an opinion about his software when they come across it. That, opines Butler, is tantamount to censorship.
In Butler’s world, a network administrator who decided to scan his network for potentially unwanted software, including tools that can be used for hacking purposes (the category in which Microsoft, rather reasonably, has placed Firesheep), would have to accept that his security tools could not report openly on what they find, because that would be censorship.
Seems that Butler has a rather one-sided view of free speech.
Moral of the story:
Just because you can write code to prove a point doesn’t mean you have to release it.
If you do release it, you don’t have to package it with a one-click install and a use-it-without-understanding-it GUI.
If you download code which makes anti-social (and probably also illegal) online behavior easy, don’t be anti-social with it.