Ben Laurie blathering

Firesheep: Session Hijacking for Morons

OK, we’ve all known forever that using any kind of credential over an unencrypted connection is a Bad Idea(tm). However, we also know that pretty much every website does an Obi-wan over session cookies, which typically travel over HTTP. “These are not the credentials you are looking for” they tell us.

Firesheep proves that comprehensively wrong. Surf your favourite login-requiring site on an open network, and *BANG*, you’re pwned. Awesome piece of work. Eric Butler, the author, says

Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.


  1. […] must also point out Ben Laurie’s post on this topic and his always-hilarious take, “these are not the credentials you’re looking […]

    Pingback by Benlog » keep your hands off my session cookies — 25 Oct 2010 @ 23:05

  2. I usually add a hash to the end of such cookies, which has the IP address mixed in it from the login.
    People with rotating IPs from proxies are usually in trouble, but that hasn’t been a problem in ages.

    Time to (properly) figure out virtual hosting over SSL and make it more widespread, if not the standard.
    I’m sure that’ll drive most governments nuts 🙂

    Comment by Robert Nice — 27 Oct 2010 @ 17:14

  3. The word is “ordinary user”, not “moron”; I understand that it’s easy to confuse the two sometimes, but I am assured by a UI designer that it’s an important distinction.

    Comment by alecm — 29 Oct 2010 @ 23:36

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress