Firefox Web Encryption Extension Updated with Better Firesheep Protection

[tipo]

A Firefox security extension, which forces HTTPS connections on many popular websites, has been updated to better protect users from session hijacking attacks.

Dubbed "HTTPS Everywhere" the add-on is the creation of civil rights watchdog Electronic Frontier Foundation (EFF) and the Tor project, a developer of anonymizing software.

The extension is still in beta and has just been updated to version 0.9.0, which according to the official changelog, is "designed to offer improved protection against Firesheep."

Firesheep is a different Firefox extension which has seen wide coverage in the media during the past month because it makes session hijacking insanely easy to pull off.

The add-on basically executes man-in-the-middle attacks on open wireless networks in order to steal session cookies from users and then uses them to access their accounts.

Even though this type of attack has been known for many years, Firesheep is special because it is accessible to even non-technical users.

It provides a browser sidebar with a scan button and a panel where all the accounts available for hijacking get listed. The attacker only needs to click on the one they want and they're in.

Such attacks are impossible if SSL/TLS connections are used, but, unfortunately, not all websites support full-session HTTPS (HTTP Secure); and many that do, don't enforce it by default.

HTTPS Everywhere forces HTTPS on websites that support the option, including many popular ones like Google Search, Wikipedia, Twitter, Facebook, bit.ly, Wordpress.com, Hotmail, PayPal, Amazon AWS, Dropbox and others.

Changes made in version 0.9.0 bring better support the Firesheep protection on Twitter, Hotmail and Facebook, however the last one needs additional settings.

This is because of the platform's nature of loading third-party unsigned content. The Facebook Chat will also not work when HTTPS is enforced for the site, because it doesn't support SSL.

link

[majithia23]

thanks for the update .....

the chat functionality in FB still gets disabled when using this extension ...