I’m adding this update because I want to be as accurate as possible when I report on the state of things, and I may have posted some misinformation in my original post about the Firesheep plugin.
When I discussed it, I described it as a plugin that can sniff out any unsecured cookie being transmitted from any site to any user as long as the would-be identity thief is on the same unsecured wireless network. This is, apparently, untrue on a number of levels:
- Firesheep has to be configured to sniff for specific networks… so unless someone was specifically trying to steal cookies from eviscerati.net, the plugin wouldn’t pick it up. This makes things safer for smallish sites like mine, because an identity thief would be attracted to huge sites with lots of users (they’re more likely to actually collect something useful that way).
- This security hole is not restricted to wireless, it’s just that wireless is the easiest way to collect the information.
- Just turning on SSL won’t completely fix the problem, because there’s an extra step involved in making sure that cookies sent to a browser are properly secured.
If you want more information about this issue, the man who created the plugin speaks in greater detail in this post.
