Microsoft responds to Firesheep cookie-jacking tool - Update
The Firesheep developers continue to be under fire for releasing their cookie-jacking plug-in. However, in doing so they have already made Microsoft promise that it will fully convert its Hotmail / Windows Live email service to SSL. According to a report from US news web site Digital Society, the services are to be converted before the end of November.
The current default is that only the log-in data is encrypted in the browser, but subsequent pages and log-in cookies are transmitted in plain text. Firesheep can collect these details, for instance, on public Wi-Fi networks, and make them available to access accounts without authorisation. The tool is so easy to operate that even those who are new to scripting can wreak havoc with it in such places as a local coffee shop.
Tools like FireShepard try to frustrate Firesheep's data collection activities by flooding the Wi-Fi network with junk, which causes the plug-in to crash. However, this counter-attack doesn't solve the basic problem. Plug-ins such as HTTPS Everywhere for Firefox can, at least, automatically redirect connections to SSL-encrypted pages – but only if this is supported by the server.
Facebook has announced that it hopes to solve the problem of its incompletely encrypted connections in the coming months. Until then, Facebook has advised users to be cautious when sending and receiving data over public Wi-Fi networks. Many other services and web pages, including Twitter, Flickr and Amazon, are also affected.
In his blog, developer Gary LosHuertos relates an anecdote about his practical tests with Firesheep. After collecting the access data for several Facebook and other accounts at a Starbucks coffee shop, he tried to alert the victims to the problem and, in some cases, used the victims' own Facebook accounts to warn them that their accounts were open to abuse.
While some responded by temporarily signing off, they logged back in shortly afterwards and proceeded to ignore further warnings. LosHuertos' conclusion after his short tests: The weakest link in security has been, and always will be, the user's (errors of) judgement.
Update (08-11-10): Since Microsoft had already announced in late September of this year that it would encrypt Hotmail, this is not in direct response to Firesheep.