Zscaler Research: Why the web has not switched to SSL-only yet?.
Great post following up on the Firesheep threat, detailing the reasons why more websites are not using SSL:
- Server overhead
- Increased latency
- Challenge for CDNs
- Wildcard certificates are not enough
- Mixed HTTP/HTTPS: the chicken & the egg problem
Zscaler did a follow up blog post, SSL: the sites which don’t want to protect their users, highlighting popular sites which do not use SSL.
Full disclosure – Zscaler is a Cymbel partner.
Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features.
It’s hard to believe that Firesheep is only two weeks old. In response to Firesheep, Microsoft said it will convert its Hotmail / Windows Live email service to SSL. Google did this for Gmail some time ago, well before Firesheep.
Facebook says it will also address the issue in the coming months.
So there is no doubt that more and more web traffic will be SSL encrypted and hidden from corporate control. I wrote about this last week, Easy fix for Firesheep creates a problem for enterprises.
Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.
First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL “http://twitter.com” still appeared in the address bar.
In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.
FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).
Rob provides extensive details and screenshots on his test methods.
hackademix.net » Forcing HTTPS with NoScript.
Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.
Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmailaddons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.