Blogs

About Author

The Jericho Forum is an international group of organisations working together to define and promote the solutions surrounding the issue of de-perimeterisation. Members include top IT security officers from multi-national Fortune 500s & entrepreneurial user companies, major security vendors, government, & academics. Working together, members drive approaches and standards for a secure, collaborative online business world.

Contact Author

Email Jericho

'Firesheep' tells us that web security is broken

Web developers insist on doing it their way...

Published 10:43, 29 October 10

Eric Butler's Firesheep plugin has been causing a stir, as it makes it extremely simple to hijack other people's web account.

Once you have installed the plug-in into Firefox, you can see the unprotected websites that other people access over the network you are connected to, whether through WiFi or shared network cable. You just click to gain access to their private pages.

I would not wish to encourage illegal wiretapping, but this demonstrates the illusion of security that websites have forced on their users for years. When the Jericho Forum Commandments were written several years ago, we said:

Surviving in a Hostile World
4. Devices and applications must communicate using open, secure protocols.

Security through obscurity is a flawed assumption - secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use. Let's use this new awareness from Firesheep to pressure websites to provide adequate protection for their users. And maybe Defcon's ""Wall of Sheep" will at long last come tumbling down.

Andrew Yeomans, Jericho Forum Board member

Tags: firesheep, web security